Internet Changes Everything

Few Are The Phishers

Yahoo! News - Few Are The Phishers

Wed Oct 20, 7:30 PM ET
A small handful of miscreants are responsible for the vast majority of phishing attacks, a message-security firm's research revealed Wednesday, giving hope to authorities going after such criminals.

CipherTrust, an Atlanta-based security vendor, analyzed the mail traffic processed through its IronMail appliance during the first two weeks of October, and discovered that just five bot networks generate virtually all the world's phishing scams.

"As we examined some five million messages, we noticed patterns," said Dmitri Alperovitch, a research engineer with CipherTrust who did the analysis. "First, the total number of IP addresses involved in phishing is about 1,000 per day, give or take a few dozen. That 1,000 is different each day, suggesting that the phishers are either purchasing the services of a bot network or acquiring ones themselves."

Those networks, also dubbed "zombies"--because the machines have been surreptitiously hijacked by earlier attacks without their users' knowledge--are puny when compared to the much larger collections of machines that spread spam, said Alperovitch. There, bot networks can run into the tens of thousands.

Alperovitch also noticed that there was a significant correlation between the machines used for phishing attacks and those used to spam more traditional junk mail. "Most of the phishing zombies, about 70 percent, are also used to send spam," he said. After examining the more plentiful spam and categorizing IP addresses by the spam message sent, Alperovitch discovered that the corresponding IPs also involved in phishing divided into several neat "clusters" of addresses. Those clusters, he said, represent the bot, or zombie, networks.

"There are never more than five clusters operating at any given time," said Alperovitch, the fact that led him to conclude that there are a very small number of people behind the phishing plague.

It comes as no surprise that the bulk of the compromised computers used by the phishers connect to the Internet via broadband cable or DSL, said Alperovitch, nor that PCs in the U.S. make up 32 percent of the pool, with South Korea (news - web sites) in second at 16 percent. "These machines are simply fantastic for [phishing] purposes," he added.

Such numbers, of course, don't mean that a third of the phishing operators live in the United States, he said. "We really don't know who is crafting these [phishing] e-mails," Alperovitch admitted. In fact, security experts have generally pinned blame for most phishing scams on organized crime gangs in Eastern Europe and the countries which once made up the Soviet Union, such as Russia and Ukraine.

Even though tracing phishing attacks to their source is difficult, the fact that there seem to be a limited number of groups sophisticated enough to pull of such scams is giving law enforcement some hope, said Alperovitch. "We've passed along our findings to federal law enforcement agencies, and they're encouraged by the small number of operations," he said. If true, it could make the chore of nailing such criminals feasible.

The phishers also concentrate their efforts on the most lucrative targets, said Alperovitch, and are trying out efficiencies even spammers haven't gotten around to testing yet.

Nearly half of all the 60 to 200 phishing attacks per day are directed at customers of Citibank, noted Alperovitch. That's not much of a shock, since Citibank is the world's largest bank (although a proposed merger of two Japanese financial institutions would drop Citibank to No. 2).

"But unlike spam, some phishing attacks are precisely targeted," said Alperovitch. "Attacks on Lloyds TSB, one of Europe's biggest banks, have been used by scammers, but we saw no attacks spoofing this domain that were sent to non-European customers. That's a definite surprise."

October 21, 2004 at 07:40 AM in Phishing & identity theft | Permalink | TrackBack (31) | Top of page | Blog Home