Types of Phishers
I’ve tried to explain how this works to a few reporters, but there are certain classes of phishers out there that seem to band together. Geographic dispersion is loose, as you might guess, but they are sort of basically chopped up into three groups of people, the Romanians/Eastern Europeans, the Chinese/Asians, and the Nigerians/North West Africans. Each have their own ways of attacking applications and phishing.
Romanians/Eastern Europeans: They tend to be the most skilled of the bunch. They think about scalability and they run their activities like a business. They use modern exploits, and tend to come up with most of the cutting edge scams. They tend to be on the bleeding edge of new issues, and tend to tie in things like malware, pharming, and server exploits. They tend to be the ones creating the phishing kits. Like the others they have strong ties to organized crime, and have actually resorted to kidnapping and (presumed) killing of at least one government official. Due to their technical nature they are highly scalable even though there are probably fewer in numbers. They require the most hardware, and are assumed to have ties with lots of botnets.
Chinese/Asians: They tend to be copy-cats. They watch what the other groups do and mimic the same tactics, only months or years later. What they lack in innovation of exploits they make up for in volume and brute force attacks. They are relative newcomers to the world of phishing in comparison but they are growing rapidly.
Nigerians/North West Africans: They tend to have the lowest sophistication of the three groups, and primarily focus on ways of coming up with new variants of 419 scams. They tend to use people instead of automation and focus only on high dollar scams. They are most likely to make contact with the victim and actually will resort to strong arm tactics if they find out where you live. Would you want this nigerian debt collector after you?
All three groups have technical requirements, and all three groups span across national boundaries. The lax laws around cybercrime and the difficultly in getting machines and operations shut down in these various countries make it particularly easy for them to operate with relative ease at the moment.
February 15th, 2007 at 1:30 pm
You greatly overestimate the Romanians hackers:)
And this is coming from a Romanian.
The big majority of them just know how to ./scan and ./flood
Maybe you are referring to Russia/Ukraine
February 15th, 2007 at 2:29 pm
Which, believe it or not, is better than the other groups, sadly. But yes, it isn’t only Romania, that just tends to be where the greatest bulk of the activity comes from in that region. It stretches from Germany to Russia. As I said, the geographic lines are very loose.
February 15th, 2007 at 4:11 pm
Haven’t gotten any Romanians or Asians yet, but the Nigerians can be fun, especially since so many of them are now actually operating from the US. I especially enjoy cutting their hands off, then cauterizing them with a blowtorch. Most of them die from shock, but I’m hoping to get enough of them spreading the word to their little friends:
*Some* of us understand that the best solution to a digital attack is an analog response.
February 16th, 2007 at 2:09 am
You also forgot about the US expats that bounce around Costa Rica, Belize, St Kitts, etc. They fall more into the click-fraud class of phishers (see also: blackhat SEO). This classification also happens to fit into your geographical paradigm well.
Romania was so 2002. The Rock Phish Kit, Webattacker, Nuclear Grabber / Haxdoor, etc - that’s all Russia/Ukraine, baby. I can understand your reluctance to call them out… it’s kinda like being on a TV show where you play the guy on the jury for a trial involving the Mafia.
February 16th, 2007 at 9:31 am
ntp, do you know any of those types? I’m always looking to meet more of those guys. They have some of the most interesting stories to tell. But they aren’t exactly what I’d call phishers. They are closer to spammers.
And ya, I was reluctant to name any countries - people are always up in arms when you mention their country name for some reason. But the geographic lines are loose anyway, so it would be overly simplistic for me to call the countries out.
February 16th, 2007 at 6:50 pm
RSnake: I’ve met some (reluctantly of course). I believe that they are tracked as phishers in the APWG reports, hence why the US and Latin America has jumped way up in the statistics.
I think some are the smartest in the web application security field I’ve found, including OWASP, eBay, SPI, Foundstone, et al. Ok Chris Abad and Samy are smarter.
Speaking of Samy, SecureScience likes to track these kinds of phishers - ask Lance James if you talk to him. Lance doesn’t make a particular distinction between spamming and phishing in his Syngress press titles.
I would agree that they are closer to spammers than phishers - but since the criminals don’t use those words I don’t see why we have to. How do you distinguish spammers and phishers, and why?
Also - the spamming/phishing/botnet markets usually have people of all types from everywhere in the world… there are mailing-lists, forums, IRC channels, blogs, RSS feeds, and all of the stuff us non-criminals use. They enjoy outsourcing opportunities in Asia and all over the place just like we do. They do work together.
The only important difference between a criminal and a non-criminal is the “criminal mind”. If we keep treating them like animals that need to be put in cages (and other labeling, conflict creation, etc), we’ll never understand their methods or intentions.
I do have some additional questions about the OP - which reporters were you talking to and how did you get onto this subject? Why do you mention the difficulty of take-down outside of the US?
From what I understand, take-down is the last step in incident response… and usually not preferred. The intelligence gathering process behind a blind-drop is more valuable than shutting it down usually. When the APWG claims 2.1 days until take-down… I think they actually mean “neutralization of profitable data-gathering capabilities”, not “the evil web server was shutdown by the ISP”.
See this article, but note that they also got things a little wrong:
http://palisade.plynt.com/issues/2006Oct/phishing-incident-response/
February 17th, 2007 at 7:10 pm
I don’t talk to Lance James - at least not since I stopped being a part of MAAWG and APWG. I actually like to classify spammers and phishers separately, because their attack vectors are wildly different for the most part (with the exception of the shared function of email transport and data collection). They also happen to be different people for the most part. Spam is just a completely different issue in my mind and by clumping them together we make tracking the unique components of the issues more complex (in the same way people come up with new terms for attacks). But if it makes it easier for people to think about, they are free to think about it however they like.
In response to your question I was talking to Larry Greenemeier at Information Week, although I’ll admit that I didn’t exactly spend a lot of time talking to him. It came up because I was trying to explain how the various versions of the attacks work, and who is creating them.
Takedown is not the last step, but it is one of the last steps. The last steps are usually recovering which users have been compromised to an un-compromised state. I’m not sure how APWG counts days to take-down (I had assumed it was time that the site is live since that is how the Phish Report Network works). Maybe it’s different - I’ve never found that part of the report particularly useful anyway other than to show that the useful life of phishing site is not on the order of hours, but days.
February 18th, 2007 at 1:35 pm
[…] Ha.ckers - Interesting enough overview of how the phisher community breaks down - […]
March 3rd, 2007 at 10:23 am
want to understand them ? it’s easy, try to survive with no money for 1 year, then try making $100.000 in one week ! you’ll get the idea