A day in the life of a phisher

  • Article

This article originally appeared on the Windows Live Hotmail Tech Support blog.  I thought I'd repost part of it here and the rest of it tomorrow.

Phish – (MSN Encarta - commit fraud to get financial information: to trick somebody into providing bank or credit-card information by sending a fraudulent e-mail purporting to be from a bank, Internet provider, etc. asking for verification of an account number or password)

A day in the life of a Phisher

Evil Ed sits in his easy chair with his laptop, watching TV. He’s doing web searches on names that he found from various Internet forums and chat rooms.  Ed has written a computer program to read these sites and gather names and email addresses. The program puts these names into a file on his computer.

Ed loves his house. Everything in it was bought and paid for by someone else. He grins as he begins the day’s work.  First, he calls a contact that is looking for email addresses.  Ed has just finished creating the list of new emails his program found that week.  His database now has over 40 million unique addresses.

After agreeing on a price for the complete list, Ed hangs up the phone and begins his real money maker; stealing people’s identity. Ed has another computer program that takes all the names it found with the email addresses and sends them through all the search engines he can find. When the search returns numbers or words like “street”, “avenue”, or a city, it catalogs those to a smaller file.

It’s here that the work begins. First, Ed cross references the information he finds in Internet white pages with any public records that are available, such as deeds, death notices, or marriage licenses. When he finds connections, those people can expect to have their cell phone companies, Internet Service Providers, and any other discoverable business relationship phished.

Ed calls a dating site he found and presents himself as innocent@somedomain.com. “Here’s my address I used to sign up for an account. What are the last four digits of my credit card? Hmmm, well I know I used a few different ones during that time, I think it was a Visa®?” The agent, trying to be helpful answers yes, no, or provides a helpful hint, “No, it was a MasterCard®.” Ed hangs up the phone.

He immediately calls back and now phishes for the last four digits of the MasterCard®. This is called social engineering and you can see where this goes.  How about the people that didn’t have any connections to  accounts or other information?  Well, Ed still has the email address and the web site it was found on, as well as the email provider (e.g. Hotmail, Yahoo, Gmail, etc). Ed now creates an email that looks exactly like it is from that provider. The email tells the user that their account is expiring, in violation, or needs more information. Click this link now to save this account! Each person that clicks that link, and enters that information, has now been caught in the phishing net.

Ed ends his day by heading out to the mailbox. It’s about 3:30 in the afternoon now. He hopes that the letter from his cousin Andy has arrived. Andy works in a refreshment booth at one of the many tourist attractions in his area. Every month, Andy mails Ed a list of credit card numbers and names that he has copied into his notebook. He gets these numbers from people paying for their food and drinks.

Ed chuckles to himself; just because the Internet Age is here, why ignore the original methods of identity theft?