Cloudmark

Phishing Networks

In an environment of overloaded information people tend to congregate in locations that are easy to find [3]. Phishing networks present information efficiently. Channels often have naming conventions that connect them clearly to the phishing underground. Newcomers can easily become acquainted with the basics by joining chat rooms or forums with simple names, such as “credit cards.”

Chat Room Interconnectivity

We have uncovered viable and closely interconnected phishing networks with the following process:

Chat rooms across major Internet Relay Chat (IRC) servers were “spidered” until the hub of the phishing economy was located. The chat room, #WAMU, was discovered on a public network.

The tool, IRC Spider, was used to uncover a maximum spanning tree on the discovered channels, as depicted below.

Each node within the graph represents a single chat room and the associated number of users found within that channel. Each edge connecting two channels represents the number of users in common between two channels.

Chat Room Content

On one particular chat network, node breaking occurred constantly because of per–server chat room and namespace restrictions. Node breaking is a process that causes channel interconnectivity to be severed or significantly weakened. This results in disconnected islands of chat rooms; it becomes difficult for users to efficiently navigate through the community and engage in phishing transactions. Another chat network had network-wide channel restrictions which created more problematic namespace restrictions, making it difficult to navigate the potential phishing community. The most viable public network had an official channel services infrastructure to support enforcement and authority in registered chat rooms.

However, unregistered chat rooms are unregulated. As long as participants in the phishing economy maintain authority over unregistered chat rooms and block attempts at node breaking, they remain viable hubs in the phishing community. Smaller peripheral, and completely unregulated, networks are used and endorsed by loosely-affiliated fraud groups. Newcomers eventually discover these networks through wide area communications channels.

Personal Interconnectivity

We have attempted to analyze individual interconnectivity through consistent monitoring of user idle times and by using a modified version of the tool, PieSpy[4]. The main premise of the tool is that individual interconnectivity can be inferred by analyzing the frequency of communications between individual users, and then comparing the time gaps in communication to other individuals in a monitored group.

Botnets

Although a peripheral aspect of phishing, bots play a major role in the internet chat community. A bot is an automated chat program that can perform certain tasks autonomously and can be remotely controlled by chat participants. A botnet is, essentially, a cluster of bots running on many computers, which can be centrally controlled to carry out any task it has been programmed for— whether en masse, or individually. Botnet tasks vary, but a few common uses are: synchronizing distributed denial of service (DDoS) attacks—virus-like selfs—propagating by exploiting vulnerable computer systems, as well as the more benign task of chat room management.

The illicit nature of phishing chat rooms creates a need for an alternative means of maintaining authority and control on public servers. This is achieved using networks of bots. Their main role in internet chat is to form a mercenary authority infrastructure in otherwise unregulated chat rooms. Although botnets do not need to be composed of compromised computers, the most powerful ones typically are.

Botnets are also used for organizing massive attacks, such as flooding DDoS. These botnets usually consist of up to 10,000 compromised zombie computers. During this study, one of our own research bots was attacked on two separate occasions by another botnet comprised of over 4,000 computers and with close ties to phishing chat rooms.

Infrastructure Robustness

Scale–free networks have proved to be highly resistant to random failure6. Eighty percent of participants can be removed in a social network before the core infrastructure completely collapses. However, scale–free networks are vulnerable to attacks on hub nodes. Hub nodes are, essentially, well–known participants, and key forums within the community, which fuel the constant influx of newcomers and connect peripheral systems together.

Successful attacks on hubs sometimes trigger what are known as “Node–breaking Avalanches.” When a key hub is successfully attacked, it can cause a chain reaction that successively causes channel connectivity to be severed a few degrees away from the key hub node. Within certain chat communities, network administrators have been put measures in place to successfully block the creation of viable phishing hubs.

The strategy of eliminating hubs is unlikely to be effective because the environment allows them to be easily rebuilt. Smaller, disconnected chat room islands simply reconnect when they can reassert their authority.

Although it did not impact the phishing economy as a whole, one example where a phishing infrastructure was successfully dismantled on a single network occurred on a cluster of public chat servers collectively known as EFNET. Server administrators simply elected to prohibit users with fraud–related names from joining chat rooms.

Planning

The planning stage requires information to be collected—such as target email lists and scam page templates, and requires knowledge from consumers of phishing credentials.

Detailed information, such as target email lists and scam page templates, needs to be collected. The phisher does not need to be adept at web design, but instead, can simply obtain a scam page already designed or used. Scam pages and email templates are widely available within the community. If more advanced template techniques are preferred, skilled web designers who advertise on known fraud-related forums are available for hire.

The trade of compromised computers, also known as Roots, is a thriving economy. Computers are easily compromised through various public exploits and Trojans using security holes in network software. The security community readily provides proof-of-concept exploits that can be used to gain access to vulnerable computers, so there is a constant supply of compromised hosts. Phishers do not need the technical knowledge of how to compromise hosts; instead, they can purchase access to compromised hosts from hackers.

Setup

The next step involves ensuring that the proper scam page infrastructure exists on the compromised hosts being considered for the phishing attack.

Mapping a Process to Send Back Credentials to an Anonymous E–mail Address or a Chat Room

This step requires minimal technical expertise and consists of little more than uploading web site content, and setting up what is known as an “eggdrop,” or a simple mail script. An eggdrop bot is a scriptable automated program that connects to a chat room, allowing the user to remotely control it and issue commands. It is also the basic unit of a botnet (a centrally-controlled cluster of these chat room bots). An eggdrop bot used for the purpose of harvesting credentials from a scam page machine could be programmed to relay the collected information back to a chat room or send it to a specific user on demand.

Attack

Numerous programs have been written to handle mass mailings; there are also commercial appliances to generate mass mailings. As with the preceding steps, a phisher does not need specialized knowledge to send out emails en masse—they only need to acquire the right tool.

The primary protocol for sending email, SMTP, inherently lacks a mandatory authentication facility—as is the case with most protocols designed during the same era. Many tutorials, including the HACK FAQ, provide simple explanations on how to send forged email via a Telnet program. Although some authentication schemes now exist to counter this problem, sender authentication is not universally deployed. The Sender Policy Framework (SPF) attempts to address one aspect of sender verification issues.

A basic knowledge of HTML enables a phisher to copy the formatting and style, or look and feel, of valid emails from banking institutions.

Collection

The collection phase of phished credentials is often performed anonymously; for example, a process on the scam-page hosting machine periodically sends back phished credentials to anonymous web-based, email accounts. These accounts are then accessed via a proxy server or sent to a chat room by an eggdrop chat bot. It is also possible to place the credentials into a readable directory on a web server and to download newly harvested credentials directly from a browser pointed to the proper directory.

Cashing

This is often the end of the line for the phisher. At this point, phishers are now suppliers of credential goods. There is a limited number of credential customers. Consumers of financial institution credentials are known as Cashers. The Casher’s main role is to take the phished credentials and obtain currency directly from the associated accounts. Phishing and Cashing are distinct, and often separate, roles.

The Phishing Marketplace

The phishing marketplace is a loosely-connected group of forums where participants can trade goods, services, and money. The key goods are credentials. Credentials are valued according to the level of detail. It is currently difficult for cashers to extract monetary value from credentials based on the various anti-fraud measures each financial institution has in place.

Advertisements used in the phishing economy were collected and we observed a wide range of credential valuations—noting the relative demand for a number of specific banks. We gained some insights into the characteristics that govern credential valuation. Some examples of preventative measures in place by banking institutions, namely, security advancements in ATM card encoding, have resulted in greatly diminished demand for certain institutions.

Cashers and the Credential Trade

Cashers often play no role in obtaining the credentials from customers, but instead, purchase credentials in bulk by bartering various goods and services, or by taking a commission on the extracted funds.

Purchase rates, on a per-account basis, range from US$0.50 for supplier–selected credit card samples, up to US$100 for high-balance, verified fulls. Verified fulls consist of full cardholder information, banking and routing numbers, credit card numbers, expiration dates, the cvv2 code (the three–digit number on the back of a credit card or directly following the credit card number), current account balance, and the ATM pin. Commission rates for cashers are as high as 70% of cash outs. Commission–based cash outs are often wired over Western Union to the credential supplier. Western Union is chosen because of its international presence and relative anonymity for the pick–up party.

Following are some typical casher advertisements:

<SuperCash | #cctradez> I can cashout Washington Mutual , Key bank , Money access , HouselHold, CitizensBank, Mellon Bank, Sky Bank, BankNorth , Zip Network , Commerce Bank, PNC bank (443071) , Regions Bank , Banknorth , Bank One (478200), Capital One (517805 , 529149, 493422, 412174) PEOPLE’S BANK , Bank Of America (440893 , 549105, 550535), The Hungtington National Bank , JAPAN , MBNA (549035, 426429, 549198), Republic Bank
<ebayinfos | #WAMU> I can cashout all wamu bins, PNC, TCF, Citibank South Dakota, MBNA, Summit Visa Sweden Banknorth, Canadian Imperial Bank VSB In- ternational B.V, M& I BANK OF SOUTHERN WISCONSIN, and more bins....... your share is 60%.

What is seen here, is that the user, SuperCash, is a member of the chat room, #cctradez. They are advertising that they have the ability to cash a number of banks. Additionally, only a subset of accounts from certain banks can be cashed out. As the above advertisement shows, some bank names are followed by a number called a BIN. A BIN is a bank identification number which associates an account number with a banking institution. Some large institutions have many BINs. Casher advertisement of BINs lets potential credential sellers know that only accounts associated with these BINs can be cashed out. One reason why only certain BINs can be cashed is that banks sometimes have BINs associated with regions and each region uses a different tracking method. Another reason is that although some banks use an encryption–based tracking method, a different encryption key is associated with each BIN, and only certain keys have been successfully cracked.

Credential Supply and Demand

As expected, phishing reports and casher advertisements for specific financial institutions follow power–law distribution. But the largest institutions are not necessarily the most targeted or reported. The report rate data was collected from Fraud Watch International.

The reasons for targeting a specific institution may, partly, be due to demand for a given institution’s customer information. Information was collected about the consumers of phished credentials from various chat rooms and online forums. A graph was developed to show the relative demand of given financial institution credentials based on advertisements by the consumers phished credentials. There are some similarities in ranking between credential demand and phishing reports.

Tracking and Credential Demand

There are varying degrees of difficulty in cashing out certain credentials. For banking credentials, the preferred, though more difficult, method, is ATM fraud. In ATM fraud, the casher actually encodes the banking information (tracking) onto an ATM card and withdraws the maximum daily fund. The main difficulty with tracking is the encoding of the bank data to the ATM card. The preferred hardware used to encode information onto magnetic stripe cards is the MSR–206. Although the MSR–206 hardware most preferred by cashers can be easily obtained, each bank uses a specific encoding algorithm to translate the credentials into the encoded data written to an ATM card. The tracking algorithm may be as simple as appending the expiration date and cvv2 code along with a fixed numeric value to the end of a check card number, or as complex as encrypting the information with a secret key and then encoding the encrypted block to the card.

It is no surprise that Washington Mutual, Key Bank, and the various other institutions are at the top of phishers’ lists. The tracking algorithms for these financial institutions are easily obtained from within the phishing community, while Bank of America, a huge financial institution, is nearly off phishers’ radar because their encoding algorithm is very hard to obtain or crack. According to statements by phishers, Bank of America’s encoding algorithm may be based on Triple–DES, a strong encryption algorithm.

The rate at which a financial institution is targeted for phishing scams is affected more by the pressure of demand that cashers put on specific financial institutions and customer credentials, and less by the phisher’s ability to supply. Similarly, demand for credentials is created by a cashers’ ability to cash out on a given financial institution. Therefore, in the phishing economy, demand is directly related to the tracking security, or credential encoding algorithms, used by the targeted institution.