This white paper provides a theoretical model of the supply and demand forces that exist in the underground, creating preferred targets and driving fraudsters to aim their efforts at attacking certain financial institutions or service providers.
2. Phishing first gained traction in 1996 with hackers trying
to steal America Online passwords from unsuspecting
users. Today, it has evolved into a far more menacing
criminal enterprise, with bands of fraudsters working
together to create schemes that dupe unsuspecting
online users into divulging personal details—
most often,
their online banking credentials. And while the complexity
and sophistication of phishing attacks grows, even more
alarming are their numbers. According to Microsoft, 31.6
million phishing scams were identified in the first half of
2007—
marking an increase of more than 150 percent over
the previous six months.
The popularity of phishing scams within fraudster circles is mainly driven by a low execution cost and the
fact that little technical knowledge is required to set
them up. These two elements are even more prolific
due in part to online fraudster communities and public discussion forums, also known as “ the fraudster
underground,” which is accessible to almost anyone.
The activities within the underground often fuel the
volume of phishing attacks occurring on a daily basis
but can also determine the target, the type of attack,
and the tools and methods used to commit an attack.
This white paper serves to provide a theoretical model of the
supply and demand forces that exist in the underground —
creating preferred targets and driving fraudsters to aim their
efforts at attacking certain financial institutions or service
providers. We will focus on phishing specifically—even though
it is only one tool in the arsenal of weapons fraudsters use to
obtain compromised credentials. However, this model may
also be applied to other threats, such as Trojans and pharming
attacks, as it does not deal with the actual technique.
$30. Another advantage of participating in the online fraudster community is the ability to partner with other fraudsters
from all over the world. This is especially useful in cases
where physical presence is needed, making the geographical
location of the fraudster important.
How the Fraudster Underground Operates
The fraudster underground is a marketplace for selling compromised credentials and the technology and services used in the
commission of fraud. Much like any free market, most fraudsters who participate in it are not “jacks of all trades,” but specialize in offering specific technologies or services. For example,
one fraudster may specialize in obtaining lists for sending
phishing emails while another fraudster may provide access to
a botnet of compromised machines that are used as proxies.
This unique characteristic of the fraudster economy lowers the
barriers to entry for those seeking an induction into this criminal underworld as they only have to offer expertise in one
specific area and can buy or partner for the rest of what they
need. A fraudster seeking to set up a phishing attack, for
example, does not need the technological know-how for hacking servers. Instead, he can simply purchase root access to
compromised machines from another fraudster for around
2
RSA White Paper
One of the most popular services offered in the underground
is the cashout service. “Cashout” in fraudster terminology
refers to the process of turning compromised credentials into
cold hard cash. This is the point where cybercrime and realworld financial crime intersect as the credentials obtained
online are used in the real world. The cashout service usually
requires a “mule” —a fraudster, or someone who works for
him, operating in the targeted country—in order to be successful. For example, consider a Romanian fraudster launches a
major attack against a series of U.S. banks. His greatest
chance of success will be using American-based fraudsters to
cashout the credentials he obtains and receiving a share of
the stolen proceeds (typically sent via Western Union or an
online currency service).
Fraudster Communities
The fraudster underground utilizes two main channels for
communication—IRC chat rooms and forums. Both communication vehicles essentially share the same characteristics
but also offer significant differences, as well.
Internet Relay Chat, or IRC, is a widely used protocol for
conducting online conversation. Chat rooms in the fraudster
underground can be compared to a bazaar of stolen goods,
with vendors repeatedly “shouting” which products and serv-
3. ices they are offering and for what price. Much like a bazaar,
there is very little personal chatter. It’s all business—when one
is interested in purchasing a product or service, he sends a
private message to the vendor where the terms of the deal
are disclosed and the purchase is finalized.
For as much as the IRC chat rooms can be compared to a
bazaar, the fraudster forums are like a country club. Forums
are much more organized and structured than the IRC
channels, are usually populated by more influential and
experienced fraudsters, and provide more community-based
services for the well-being of their members.
A requirement of most forums is for members to adhere to just
one username in order to build their reputation. A fraudster
looking to sell goods must first undergo a rigorous review to
prove he offers quality products and services and is reliable
in order to earn the title of a “verified vendor”—a seal of
approval by the forum staff that a fraudster is legitimate (and
not a “ripper”—a fraudster known for scamming others and/or
backing out on deals). Further services are offered, such as
escrow services, to ensure that members’ deals are completed
in full. Finally, forums offer non-business related talk regarding
scene news, members and events. Tutorials for newcomers and
public assistance are also commonly found in the forums.
Due to the more organized nature of forums, they experience
considerably less cases of “ripping” or scamming. Some
forum members actually look down on users of the IRC
channel, calling them “IRC kiddies.”
The Fraudster’s Business Model
While each fraudster specializes in a different practice, those
that participate in the various interactions in the fraudster
underground share the following:
– Intent – Each fraudster has two main intentions—to make
as much money as possible and avoid capture. These are
the two characteristics that can be universally applied to
every individual fraudster.
– Means – Both knowledge and tools can be characterized
as the means that allow a criminal to commit acts of fraud.
While the means used to commit fraud may differ by the
individual fraudster, they all share this common characteristic. By allowing fraudsters to communicate, share best
practices and trade tools, the underground serves as a
conduit that fosters the continued growth of online fraud
and provides a direct impact on the means each fraudster
The Facts on Phishing, Trojans and Malware
– According to PhishTank, a unique phishing scam
is launched every two minutes.
– In April 2007, RSA reported that more than half of
all phishing attacks were being hosted in the U.S.
– About 80% of all phishing pages detected and
tracked by Microsoft were written in English.
– Symantec reports that 22% of all items advertised
for sale in the fraudster underground were bank
accounts, followed by credit cards and personal
information profiles.
– The U.S. hosted 58% of all fraudster underground
economy servers, according to Symantec.
– Malware damages in 2006 cost businesses $13.3
billion, according to technology research firm
Computer Economics.
– The latest Sophos Security Threat Report shows a
web page is infected with malware every five seconds. In the first quarter of 2008, over 15,000 web
pages were infected with malware; 80% of those
pages were on legitimate websites.
– More than 200,000 malware variants were discovered in the second half of 2007 and infected nearly
19 million computer users, according to Microsoft.
has at his disposal to launch an attack. The underground
provides fraudsters with access to the knowledge and
tools needed to commit fraud and the ability to purchase
or trade services for whatever he is missing.
– Target – Every fraudster has a target. A target may be as
narrow as a single financial institution or as wide as “U.S.
merchants.” Even fraudsters who are not involved in actual
cashout activities have certain targets. For example, a
fraudster that sells “dumps” may sell credentials issued
by U.S., Canadian and European financial institutions.
Fraudsters that sell infrastructure, such as tools, tend to
have the widest targets while fraudsters that deal with
cashout operations tend to have the narrowest.
The specific target(s) of a fraudster may be influenced
by internal factors (i.e., resources available) or external
factors (i.e., the forces of supply and demand).
RSA White Paper
3
4. Fraudster operations can be classified into the following three
groups:
– Infrastructure – Infrastructure providers supply the
resources necessary to commit fraud. Such infrastructure
may include proxy servers, custom-made phishing kits, bulletproof hosting (a hosting service which ignores abuse
requests), compromised servers, botnets and Trojan kits.
– Obtaining Credentials – Fraudsters who specialize in
obtaining credentials use various techniques in order to
obtain credentials from the customers of the institution
being targeted. Such techniques include setting up phishing attacks (“spammers” in fraudster terminology as they
spam the phishing letter to potential victims) and infecting
computers with keyloggers.
– Cashout – Usually operating as local gangs or in bands
of mules, these fraudsters offer to turn stolen credentials
into cash. They may target financial institutions, online
merchants or brick-and-mortar stores. In the underground,
these fraudsters are sometimes known as “cashiers.”
A “lifecycle” of fraud does not exist; in other words, the commission of fraud is not a constant series of events. In one
case, a cashier may approach a spammer looking to purchase
compromised credentials or even request the spammer attack
a certain target in order to collect credentials. On the other
hand, a spammer may contact a cashier in order to open mule
accounts at a certain financial institution. In both examples,
infrastructure providers may supply both the spammer and
the cashier with the tools necessary to commit fraud with
minimum risk and high success rates.
The Forces of Supply and Demand
The forces of supply and demand depend largely on the vulnerabilities that exist at a certain financial institution or card
issuer. For example, if a certain type of credit or debit card is
found to be easy to cashout, cashiers across the underground
would offer cashout services for that specific institution. This
RSA and the RSA logo are registered trademarks and/or trademarks of RSA Security
Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC
Corporation. All other products and/or services mentioned are trademarks of their
respective companies.
FRAECON WP 0508 H11935
would cause a surge in demand for compromised credentials
that spammers would attempt to supply. Alternatively, a target
which is considered difficult to cashout would have very little
supply and demand for compromised accounts as cashiers
prefer to target institutions that are easier to cashout.
Simply, when a major vulnerability is uncovered at a financial
institution, the amount of “buzz” and traded goods within
the fraudster underground increase dramatically. Sometimes,
dedicated IRC chat rooms are opened bearing the name of the
institution in which the vulnerability exists. However, once the
vulnerability is fixed, activity subsides dramatically.
Conclusion
Even though it is a criminal enterprise, the fraudster underground can draw the following comparisons to most legitimate
businesses in operation today:
– It’s all about the money. The bottom line is that no fraudster is assuming the high risk of getting caught without a
handsome reward.
– A division of roles. Just as a legitimate business has
marketing and sales, R&D, engineering and finance
departments, each fraudster assumes a specific “work”
role—whether as an infrastructure provider or a cashier.
– Performance is critical and there are rules and policies
to follow. Even if fraudsters that have traditionally been
reputable start to go astray, they are “fired” from their post
within the community by their peers.
– Reputation is the key to success. Like a legitimate business that thrives on being recognized for superior customer
service, fraudsters with a demonstrated reputation are
rewarded with more business.
– The rules of supply and demand are always at work.
When demand for a particular product or service increases,
there is always a fraudster there to provide a supply.