May 23, 2006

ThreatWatch - markets in loss, Visa's take, 419 "chairmen"

Two articles tracking hackers and looking into
markets for trading stolen assets. The latter has better info:

Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using "pharming" sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common "phishing" scams, in which an e-mail that looks like it's from a bank prompts someone to hand over personal data.

Also available on TalkCash is access to hijacked home broadband computers - many of them in the United States - which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.

RSA's Einav says there are about a dozen marketplace sites like TalkCash in operation at any given time. Unfortunately, he and Gaffan suggest it's unlikely this nefarious activity will end anytime soon (though of course that's good for their business).

"When the FBI shuts down a site they just move to another site," says Einav, "The URL changes but the community stays intact."

RSA doesn't even bother trying to shut down such sites, because by monitoring them it can help banks protect themselves. Says Einav: "If you see abnormal demand for accounts from a specific bank, you can assume an exploit is underway."

That's when it goes into action. RSA Cyota claims to have shut down 10,000 phishing and other schemes since Cyota was formed in 1999. (RSA Security bought Cyota last December.) The company maintains a blacklist of sites, which partners use to warn customers.

Over on payment news:

Visa USA has posted its summary of performance data for the first quarter 2006 (PDF) detailing year over year growth rates across its various card products. Net fraud as a percentage of total volume increased from 6 to 7 basis points during the quarter.

OK, so either net fraud went up by a sixth ... or overall net fraud is so low that it's lost in the noise ... or Visa just doesn't know how to count. We could be forgiven for thinking it's so low we can all rest easy, but check out this:

Akin buys things online - laptops, BlackBerries, cameras, flat-screen TVs - using stolen credit cards and aliases. He has the loot shipped via FedEx or DHL to safe houses in Europe, where it is received by friends, then shipped on to Lagos to be sold on the black market. (He figures Americans are too smart to sell a camera on eBay to a buyer with an address in Nigeria.)

Akin's main office is an Internet cafe in the Ikeja section of Lagos. He spends up to ten hours a day there, seven days a week, huddled over one of 50 computers, working his scams.

And he's not alone: The cafe is crowded most of the time with other teenagers, like Akin, working for a "chairman" who buys the computer time and hires them to extract e-mail addresses and credit card information from the thin air of cyberspace. Akin's chairman, who is computer illiterate, gets a 60 percent cut and reserves another 20 percent to pay off law enforcement officials who come around or teachers who complain when the boys cut school. That still puts plenty of cash in Akin's pocket.

A sign at the door of the cafe reads, WE DO NOT TOLERATE SCAMS IN THIS PLACE. DO NOT USE E-MAIL EXTRACTORS OR SEND MULTIPLE MAILS OR HACK CREDIT CARDS. YOU WILL BE HANDED OVER TO THE POLICE. NO 419 ACTIVITY IN THIS CAFE. The sign is a joke; 419 activity, which refers to the section of the Nigerian law dealing with obtaining things by trickery, is a national pastime. There are no coherent laws relating to e-scams, the police are mostly computer illiterate, and penalties for financial crimes are light.

Posted by iang at May 23, 2006 12:58 PM | TrackBack

So what’s a market for? The demand and supply of goods that have a perceived value In a sense these exchanges may very well be fake and have at their core an illusion to make a value appear to be more real. Since why would anyone entertain a market or the selling of a value if they could exploit themselves? The value is questionable and has the air of scandal. If I where to tell people there are drone machines on broadband and emails then I should be able to phish or scam the same machines and emails myself. The specialization and advanced economic mechanism called a market place is unwarranted and appears to be a trap. Can I buy emails for $ per million? Yes. Can I buy machines for masking my IP ? Yes. Can I afford to develop a Phishing page that appears to be the same as a bank? Can I safely buy emails, machines, and Phishing pages from unknown entities? No. The over supply of raw material for Phishing suggest that the only ones doing it now are the ill informed that will buy from market places. The good ones are never sold to the public and are working currently. The bad ones are cast off in pieces or in whole to the market place creating a potential flow of transactions to hide the professionals trail. It would be interesting to see if the professional uses the marketplace as a means of having retail buyers activity hide the original activity. Copycats in whole or part are useful to the professional and make it harder to capture since the static cloaks the genesis.

Posted by: Jimbo at May 23, 2006 07:44 AM

a couple years ago a study was published claiming that 70percent of identity theft involved insiders. so in much the same way that the amateurs provide cover for the professionals ... all the attention placed on intrustion prevention and outsider countermeasures can cloak the activities of the insiders.

at some point embezzlement and things like the S&L crisis represented more of a threat to financial institutions than the guys with guns.

old post discussing the S&L crisis (among other things)

Posted by: Lynn Wheeler at May 23, 2006 07:52 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.