Phishing the Long Line: Transnational Cybercrime From Eastern

Transcription

PHISHING THE LONG LINE:
TRANSNATIONAL CYBERCRIME FROM
EASTERN EUROPE TO AUSTRALIA
Stephen James McCombie B.A. Macq., GDipComp Deakin,
MInfoTech Deakin
Ph.D. Thesis, June 2011
2
PHISHING THE LONG LINE:
TRANSNATIONAL CYBERCRIME FROM EASTERN
EUROPE TO AUSTRALIA
Thesis submitted for the degree of Doctor of Philosophy in the Department of
Computing, Faculty of Science, Macquarie University
By Stephen James McCombie B.A. Macq., GDipComp Deakin, MInfoTech Deakin,
June 2011
3
TABLE OF CONTENTS
List of Figures
List of Tables
Abstract
Declaration
Certificate of Originality
Acknowledgements
CHAPTER ONE: INTRODUCTION AND BACKGROUND
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
Thesis Aims and Scope
Thesis Structure
Background: Historical
Background: Political
Background: Technical
Background: Legal
Significance of the Problem
Overview of Problem
Cybercrime outside of Eastern Europe
Literature Review
Conclusion
CHAPTER TWO: PHISHING, INTERNET MONEY MULES AND RELATED CYBERCRIME
2.1
2.2
2.3
2.4
2.5
2.6
Introduction
Anatomy of Internet Bank Phishing
Evolution of Internet Money Mules
Profile of Internet Money Mules
Analysis of Money Flows
Conclusion
Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian
Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and
Trusted Computing, IEEE Computer Society: 482-487.
CHAPTER THREE: CASE STUDIES AND ETHNOGRAPHIC FEATURES OF EASTERN EUROPEAN
CYBERCRIME
3.1
3.2
3.3
3.4
3.5
Introduction
Genesis of Phishing Attacks on Internet Banks
Alex Mozhey Update
Advantageous Environment for Cybercrime
Russia in Profile
4
3.6
3.7
Ukraine in Profile
Conclusion
McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th
Australian Digital Forensics Conference. Perth.
McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th
CHAPTER FOUR: THE CYBERCRIME MARKETPLACE
4.1
4.2
4.3
4.4
4.5
4.6
Introduction
The Evolution of the Cybercrime Marketplace
Scope and Products
Commoditisation of Credentials
Analysis
Conclusion
Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential marketplace."
Journal of Money Laundering Control 14(1): 32-43.
CHAPTER FIVE: FORENSIC ANALYSIS OF PHISHING ARTEFACTS FOR FEATURES OF EASTERN EUROPE
5.1
5.2
5.3
5.4
5.5
5.6
Introduction
Methodology
Phishing Artefacts Useful in Grouping
Ethnographic Features
Temporal Analysis of Attacks
Conclusion
McCombie, S., P. Watters, et al. (2008). Forensic Characteristics of Phishing - Petty Theft or
Organized Crime? Fourth International Conference on Web Information Systems and Technologies.
Funchal, Madeira, Portugal. 1: pp149-157.
CHAPTER SIX: SYNTHESIS: WINNING THE WAR ON PHISHING
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
Introduction
The Limitation of Technical Solutions: The Latest Zeus Example (Zitmo)
A Theory of Cybercrime Operations
Eastern Europe the Engine of Cyber Warfare?
The Scale of the Involvement in Phishing and Related Cybercrime in Australia by Eastern
European Cybercrime Groups
The Weaknesses that Allow Phishing and Related Cybercrime by these Groups to Occur
The Background and Modus Operandi of EECGs
Future Research
Conclusion
McCombie, S. and J. Pieprzyk (2010). “Winning the Phishing War: A Strategy for Australia”. Second
Cybercrime and Trustworthy Computing Workshop, University of Ballarat.
REFERENCES
5
LIST OF FIGURES
Figure 1.1: Western Union agency in St Petersburg 2008
Figure 1.2: Commonwealth Bank’s original non-transactional Internet website in the mid 1990s
Figure 1.3: Externality mechanisms and feedback systems producing increasing return in cybercrime
related activities
Figure 1.4: Causal model showing cyber criminal underground economy
Figure 2.1: Heat map of blocked Internet transactions from Australia by Country
Figure 2.2: Mule Recruitment
Figure 2.3: Percentage break down of males and females by age groups from ABS statistics on
Internet users compared to Internet Money Mules
Figure 2.4: Heat map of blocked Internet Transactions by Country in Europe
Figure 2.5: Pie Chart of blocked Internet transactions by Country
Figure 2.6: Ethnic Russians in other parts of the Former Soviet Union
Figure 2.7: Pie Chart of blocked Internet transactions by City
Figure 2.8: St Petersburg, the North East Criminal Hub
Figure 3.1: Western Union Russian website 2010
Figure 3.2: Relationship Diagram for Phishing Incidents December 2002 to July 2003
Figure 3.3: LinkedIn Profile of Alex Mozhey 2008 and 2011
Figure 3.4: Internet Users per 100 inhabitants 2010
Figure 3.5: ICT Price Basket across Regions
Figure 4.1: Mazafaka Carders Forum
Figure 4.2: Transcript of “CC_Power” IRC Channel, on 16 June 2009
Figure 5.1: Grouping Features in Phishing Email Header including +0300 and Windows-1251
Figure 5.2: Email from Group 3 with grouping attributes highlighted
Figure 5.3: Email from Group 1 with grouping attributes highlighted
Figure 5.4: Windows Character sets from Nazario Phishing corpus 2 & 3
Figure 5.5: Windows Character Set 1251
Figure 5.6: Header from Phishing email on Bank of America 14 May 2003
6
Figure 5.7: Header from Phishing email on Westpac 4 July 2003
Figure 5.8: Time zones of the World
Figure 5.9: Selection from Phishing email for Commonwealth Bank 17 March 2003 showing +0300
time zone
Figure 5.10: Timing of 63 Attacks in July 2006 by AEST where available
Figure 6.1: “We are automating the payment system” Russia cyber gang promotional material
Figure 6.2: Zeus html frame inserted into Internet banking session to identify type of phone and
phone number
Figure 6.3: Zeus SMS with link to Nokia Phone compromise code
Figure 6.4: Theory of Cybercrime Operations
7
LIST OF TABLES
Table 2.1: Blocked Internet Transactions by Country
Table 2.2: Blocked Internet Transactions by City
Table 3.1: Gross Enrolment Ratio (GER %) for tertiary education
Table 3.2: 2007 Graduates in Science by Country >10,000
Table 3.3: 2007 Graduates in engineering, manufacturing and construction by Country >10,000
Table 3.4: Corruption Perception Index (CPI) for countries 2.4 or lower
Table 3.5: Percentage of users of services reporting they paid a bribe to receive attention from at
last one of nine different service providers in the past 12 months
Table 3.6: Countries of the former Soviet Union estimated Internet users per 100 inhabitants 20002009
Table 3.7: Responses to question, in the past 3 years, how has the level of corruption in this country
changed Countries for the for selected countries of the former Soviet Union
Table 3.8: Responses to question, how would you assess your current government's efforts to fight
corruption Countries for selected countries of the former Soviet Union
Table 4.1: Goods and services offered for sale on an underground economy IRC market
Table 5.1: Features of Group 1
8
Phishing the Long Line: Transnational Cybercrime from Eastern Europe to
Australia.
Abstract
The purpose of this research is to examine the involvement of Eastern European cybercrime groups
(EECGs) in phishing and related cybercrime impacting Australia. Then, given those findings, explore
what can be done to reduce the problem. Research focuses on the Australian experience but in the
context of what is a global problem. This thesis is organised into six chapters.
The first chapter sets out the aims and scope of the study, and the structure of the thesis. It explains
the background to the problem from a historical, political, technical and legal perspective. It also
reviews the Phishing literature.
In the second chapter, the money laundering aspects of this crime are examined. To recover the
proceeds of the fraudulent transactions the attacker must direct the funds firstly to an Internet
money mule within Australia. The Internet money mule is then directed to wire the money overseas
using a service such as Western Union. The demographic profile of Internet money mules that are
used for this activity is explored through the examination of archival data. The data was obtained
from one Australian financial institution and related to 660 Internet money mule incidents during
2007. Additionally, data was also obtained from the High Tech Crime Operations section of the
Australian Federal Police detailing the laundering of proceeds of Phishing in Australia to overseas
locations for the period from September 2004 to October 2010. It shows a significant majority of
those transactions were directed to Russia and other states of the former Soviet Union.
In the third chapter, an ethnographic study of EECGs is conducted including a major case study of
the first Internet Bank phishing attacks in Australia in 2003. This identified a number of Ukrainians
who were instrumental in these early attacks and their methodology. These attacks were the first of
their kind globally. The chapter also examines why these countries have an environment which
favours this activity.
In the fourth chapter, the cybercrime marketplace, which supports phishing and related cybercrime
by providing a market for the various tools needed for phishing and the proceeds of that cybercrime,
is examined to further explore the modus operandi of these groups. From analysis of data from two
Internet Relay Chat (IRC) channels used for this trade an initial methodology for further
understanding of how compromised credentials are traded in online marketplaces is developed
In the fifth chapter, phishing artefacts are examined to establish links between attacks and any
featurs, which might indicate the source is Eastern Europe. This research looked at data available
from one Australian financial institution for July 2006. In this work an e‐mail archive and response
records for 71 unique Phishing incidents were examined with a view to ascertain whether incidents
could be grouped by attacker. This work revealed that six identified groups accounted for all but two
of the incidents. Three of the groups accounted for 61 of the 71 incidents. In addition, an apparent
work schedule by day and time was established consistent with a European time zone.
In the sixth and final chapter, a phishing attack model of these groups is constructed, a theory of
cybercrime operations based on this work is proposed and options capable of being deployed to
disrupt the phishing attack model are identified. In particular it identifies that the money laundering
9
aspects of the phishing are the greatest weakness in the Phishing attack model. Methods to focus
on the activity of Internet money mules and wire transfer agents, such as Western Union, would be
more beneficial than the current reliance on technical controls.
10
DECLARATION
I hereby certify that the work embodied in this thesis is the result of original research. This work has
not been submitted for a higher degree to any other university or institution.
Signed: ____________________
Date: ____________________
11
CERTIFICATE OF ORIGINALITY
Except where otherwise indicated below or in the text herein, the work described in this thesis is
entirely my own, and has not been submitted, in any form, for a higher degree at any other
institution.
The following list summarises my particular contribution to the joint papers in this thesis.
Chapter 2:
Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An
Australian Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic
and Trusted Computing, IEEE Computer Society: 482-487.
Conception 40%, data collection 40%, analysis 40%, writing 50%
Chapter 3:
McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study.
7th Australian Digital Forensics Conference. Perth.
Conception 100%, data collection, 100%, analysis 90%, writing 90%
Chapter 4:
Chapter 5:
Organized Crime? Fourth International Conference on Web Information Systems and Technologies.
Funchal, Madeira, Portugal. 1: pp149-157.
Chapter 6:
McCombie, S. and J. Pieprzyk (2010). “Winning the Phishing War: A Strategy for Australia”. Second
Cybercrime and Trustworthy Computing Workshop, University of Ballarat.
Conception 100%, data collection, 100%, analysis 90%, writing 90%
Signed: ____________________
Stephen James McCombie B.A. Macq., GDipComp Deakin, MInfoTech Deakin,
June 2011
I certify this to be a true and accurate statement of the originality of the work presented in this
thesis.
12
ACKNOWLEDGEMENTS
I would like to thank Macquarie University for the opportunity to pursue and complete this PhD. I
would also like to acknowledge the National Australia Bank for their financial support and assistance
in the research for this PhD. In addition I would like to thank Assistant Commissioner Neil Gaughan
of the Australian Federal Police and his team for their invaluable assistance. I would like to thank my
colleagues from PICT Julian Droogan and Graeme Morgan for their excellent editing skills as I was
writing my chapters and special thanks to my lifelong friend Manny Aston for his proofreading of the
finished thesis. I would like to express my thanks for the constant and unwavering support,
encouragement and guidance from my supervisor Professor Josef Pieprzyk. I would also like to
thank my former supervisor Associate Professor Paul Watters and my adjunct supervisor Dr John
Langdale for their support and inspiration. I would like to thank my wife, Kathy and my sons Daniel
and Peter for their patience and support while I pursued this “folly”. I would like to dedicate this
thesis to the memory of my parents John and Dorothy McCombie, who instilled in me a belief in the
value of knowledge, higher education and learning despite never having the opportunity to
complete their own schooling.
13
Figure 1.1: Western Union agency in St Petersburg 2008.
Phishing the Long Line: Transnational
Cybercrime from Eastern Europe to Australia.
Chapter One
INTRODUCTION AND BACKGROUND
14
CHAPTER ONE: INTRODUCTION AND BACKGROUND
1.1
Thesis Aims and Scope
This thesis examines the role that Eastern European cybercrime groups (EECGs) play in Internet bank
phishing and related cybercrime in Australia. This is achieved by examining empirical data, archival
material and significant case studies to obtain a clear picture of EECGs involvement and modus
operandi, particularly those groups that operate out of Russia and the Ukraine. This thesis also
identifies options to disrupt this criminal activity and ultimately proffers a broader theoretical
understanding of cybercrime drawn from this research.
Phishing and cybercrime are certainly not a uniquely Australian problem. Indeed the cause of the
problem has little to do with Australia; rather, it is an example of how the globalisation of cyber
crime by these criminals based in Eastern Europe has changed the paradigm of crime forever. No
longer are criminal groups restricted to where they can physically operate. They can commit crimes
without ever being in a country where the crime is perpetrated or even needing an accomplice in
that country. They can also leverage the enormous efficiencies of information technology systems
and in particular the Internet in every aspect of the crime, from planning to execution. Hence,
lessons learnt in this thesis are universally applicable.
In 2003 EECGs saw Australia’s Internet banking platform, which was one of the first to allow retail
customers to transfer money via the Internet, as an attractive target (McCombie 2008). These
groups, some using skills possibly developed for information warfare but privatised after the collapse
of the Soviet Union, targeted Australia’s major banks. In fact, Australia was the first country to be
impacted by this style of attack which soon became the biggest fraud risk to banks throughout the
world (McCombie 2008). These attackers were able to use the Internet to research the victim banks,
plan the phishing attacks, execute those plans and finally facilitate laundering of the proceeds of
those attacks by transnational electronic transfer.
Cybercrime research is a relatively new domain (Lu 2007). Its appreciation involves cross-disciplinary
expertise (Broucek 2006), incorporating aspects of computer science, law, criminology, psychology,
economics and even international relations within it. Significant research has been conducted
looking at the technical manifestation of phishing (Jakobsen 2005; Dhamija 2006) and some
technical solutions in browsers, authentication mechanisms and other assurance methods by
computer science and information system scholars (Plössl 2005; Topkara 2005; Miyamoto 2005;
Susilo 2006; Florêncio 2006; Pamunuwa 2007; del Castillo 2007a; Moura 2009; Devarakonda 2010).
Some work has also looked at the human factor, modelled primarily from a victim standpoint by
psychologists and others. Other cross-disciplinary work has examined the business model of
phishing (Abad 2006; Kshetri 2009, 2010).
The thesis fills a gap in the current research by looking at the attackers. Rather than restricting its
examination to various technical attacks, it looks at a major part of the underlying cause. This will
help in developing more fundamental protections against cybercrime that will be robust and are not
immediately subject to an arms race in technology. In the cybercrime domain a defence to one
attack often spurs the attacker to find a new style of attack to defeat that defence. This is known as
a Machiavellian threat, in that it develops over time in response to defensive actions.
15
Some similar research has looked directly at the activities of Eastern European hackers in on-line
chat rooms and discussion groups (Holt 2009, 2010). While this work had been productive it is
limited by an overly particularistic approach. Conclusions have been drawn on the set of data
available and hence the particular cybercrime groups that used those on-line chat rooms and
discussion groups, rather than necessarily data on the most noteworthy cybercrime groups. If the
groups monitored are not particularly significant, then the results obtained are more likely to be of
limited application. In contrast, where the groups studied play a significant role in transnational
cybercrime, the results are likely to be of commensurately greater import. While the limitations of
available data is a common problem in research in this area, analytical application can derive
considerable focus. The thesis has, where possible, focused on available empirical data and
important case studies, such as the first Internet banking attacks in 2003 (McCombie 2008). Thus
the analysis relates to hacker groups which are significant and informs us of the broader problem.
It is important to understand who these groups are, why they undertake these illegal activities and
how they operate. In the military context, understanding the motives and disposition of an enemy
has been the key to fighting wars (Keegan 2004) whether you are Alexander the Great or David
Petraeus. We need to fundamentally understand the motives and disposition of EECGs if we are to
successfully defend against their efforts.
The specific aims of this research are to:
Identify the scale of the involvement in Phishing and related cybercrime in Australia by
Eastern European organised cybercrime groups.
Examine the weaknesses that allow Phishing and related cybercrime by these groups to
occur.
Consider the background and modus operandi of these groups and propose a general theory
of global cybercrime.
Identify any weaknesses in that modus operandi.
Propose options to disrupt this activity.
1.2
Thesis Structure
The thesis is organised into six chapters. The first chapter sets out the aims and scope of the study,
and the structure of the thesis. It explains the background to the problem from a historical, political,
technical and legal perspective. It also reviews the Phishing literature.
In the second chapter, the money laundering aspects of this crime are examined. To recover the
proceeds of the fraudulent transactions, the attacker must direct the funds firstly to an Internet
money mule within Australia. The Internet money mule is then directed to wire the money overseas
using a service such as Western Union. The demographic profile of Internet money mules that are
used for this activity is explored through the examination of archival data. The data was obtained
from one Australian financial institution and related to 660 Internet money mule incidents during
2007. Additionally, data was also obtained from the High Tech Crime Operations section of the
Australian Federal Police, detailing the laundering of proceeds of Phishing in Australia to overseas
locations for the period from September 2004 to October 2010. It shows a majority of those
transactions were directed to Russia and other countries which were part of the former Soviet
Union.
16
In the third chapter, an ethnographic study of EECGs is conducted, including a major case study of
the first Internet bank phishing attacks in Australia in 2003. This identified a number of Ukrainians
who were instrumental in these early attacks and their methodology. These attacks were the first of
their kind globally. The chapter also examines why these countries have an environment which
favours this activity.
In the fourth chapter, the cybercrime marketplace, which supports phishing and related cybercrime
by providing a market for the various tools needed for phishing and the proceeds of that cybercrime,
is examined to further explore the modus operandi of these groups. From analysis of data from two
Internet Relay Chat (IRC) channels used for this trade, an initial methodology for further
understanding of how compromised credentials are traded in online marketplaces is developed.
In the fifth chapter phishing artefacts are examined to establish links between attacks and any
features, which might indicate the source is Eastern Europe. This research looked at data available
from one Australian financial institution for July 2006. In this work an e‐mail archive and response
records for 71 unique Phishing incidents were examined with a view to ascertain whether incidents
could be grouped by attacker. This work revealed that six identified groups accounted for all but two
of the incidents. Three of the groups accounted for 61 of the 71 incidents. In addition, an apparent
work schedule by day and time was established consistent with a European time zone.
In the sixth and final chapter, a phishing attack model of these groups is constructed, a broader
theory of cybercrime based on this work is proposed and options capable of being deployed to
disrupt the phishing attack model are identified. In particular it identifies that the money laundering
aspects of the phishing are the greatest weakness in the Phishing attack model. Methods to focus
on the activity of Internet money mules and wire transfer agents, such as Western Union, would be
more beneficial than the current reliance on technical controls.
This thesis comprises a series of papers either published in conference proceedings (five papers), or
in a journal (one paper). The introduction to each chapter summarises the respective papers,
reviews additional relevant unpublished material, and provides the context in terms of the overall
aims of the thesis for the papers that it contains.
1.2.1 Repetition in Publications
Due to each publication requiring its own introduction and background, there is a degree of
duplication between the publications. This was unavoidable as each was designed for a separate
audience and the context of the topic needed to be set for each publication. Despite this duplication
it should be observed that even that background has changed somewhat over time and the change
is similarly reflected in the various publications.
1.3
Background: Historical
The problem of phishing and related cybercrime needs to be set in its historical context. First, the
timing of development of the Internet for commerce and in particular the arrival of Internet banking
is important. In 1994 Stanford Federal Credit Union was the first financial institution to offer
banking services over the Internet (Stanford Federal Credit Union 2011). Its association with
Stanford University (the birthplace of SUN Microsystems and Cisco) and Silicon Valley was
instrumental to this evolutionary step into Internet banking. The first Internet-only bank was
17
Security First Network Bank, started in October 1995 (Cronin 1998). Indeed it was “Security First” as
time went on: as can be seen, security came to lag well behind useability.
Australia’s major banks were early entrants into Internet banking in global terms. The
Commonwealth Bank had online banking even before the Internet became mainstream via
Telecom’s Viatel service in the late 1980s. The first bank in Australia to offer Internet banking was
Advance Bank in December 1995 (Nitsche 1996). Advance was later absorbed into St George Bank
in 1997. By 1997 Australia’s four biggest banks, Commonwealth, Westpac, National Australia Bank
and ANZ, had Internet Banking sites with transactional capabilities.
Figure 1.2: Commonwealth Bank’s original non-transactional Internet website in the mid 1990s (Canstar 2010)
By 2003 Australian Internet banks offered greater functionality in their Internet banking solutions,
including third party payments, well before banks in the United States and most other countries.
While the early solutions were developed with rather strict security models, using in most cases
enhanced security over just username and password, eventually the need for greater usability meant
that all a customer needed was a username and password to transact online. While “Secure Socket
Layer” (SSL) was the standard for securing the data from the user to the bank, the possibility of
social engineering and the integrity of the users being compromised were not then envisaged.
Deregulation of the Australian banking industry in the late 1980s and early 1990s was a key factor in
the development of phishing in Australia. Particularly important was the opening up of the ability to
perform international funds transfers with limited regulation.
In 1989 Communist Eastern Europe collapsed along with the Soviet Union itself. Out of this
breakdown in state authority, organised crime groups grew in numbers and influence. After the
18
early success of the market economy in Russia and Ukraine in 1999, there was a severe economic
downturn. In 2003, faced with the need to radically cut government expenditure, the Russian
Government disbanded the FAPSI (effectively Russia’s NSA) and many technical staff skilled in
information warfare were recruited by organised crime groups (Galeotti 2006).
It is within this historical context that we see the first phishing attacks in March 2003 by Eastern
Europeans on an Australian bank.
1.4
Background: Political
Cross-border law enforcement is a significant challenge for policing agencies which are typically
based on geographic jurisdictions. This is made even more difficult when the jurisdiction where the
offender is situated is less than cooperative. The Russian federation under Vladimir Putin and more
recently Dmitry Medvedev has maintained a foreign policy with the aim to keep their neighbours
such as Ukraine and Moldova out of the European Union and NATO. This policy has severely
impacted the degree of cooperation Russia and these states share with Western law enforcement.
In effect it has created a safe haven for criminals who target the West, particularly for cybercrime.
Ultimately a fraud against a Western bank is seen as a very low priority by Russian authorities, if
seen as a crime at all (Zenz 2007).
1.5
Background: Technical
The technical nature of the World Wide Web has made copying a website a very simple exercise.
Once this is done it is simply a matter of directing Internet bank users to these copies of Internet
banks and convincing them to enter their Internet banking credentials. Then the same technologies
used in legitimate web infrastructure capture those details and are used to commit fraud. With the
growth of malware in the late 1990s and early 2000s, the ease by which millions of computers
connected to the Internet could be quickly compromised was understood. However, these early
efforts such as Melissa in 1999, I Love You and Slammer in 2001, were about announcing themselves
and gaining credit for their writers rather than any primary profit motive. However, the new
malware starting in 2003 would use the same types of system vulnerabilities but remain hidden and
capture account credentials and would ultimately become an even more effective phishing method.
1.6
Background: Legal
In Australia, under the common law and legislation of the federal and state parliaments, our system
is based around geographical jurisdictions. The Internet and cybercrime create severe challenges for
that jurisdictionally-based legal system. What are relatively straightforward investigative activities,
such as the execution of search warrants to obtain banking records, become complex and often
fruitless exercises when dealing internationally. This is compounded when there is little formal
cooperation by the countries such as Russia and Ukraine even if possible. These legal challenges
have been identified in the European Convention on Cybercrime which came into force in 2004. It
states:
Recognising the need for co-operation between States and private industry in combating
cybercrime and the need to protect legitimate interests in the use and development of
information technologies; (and) Believing that an effective fight against cybercrime requires
increased, rapid and well-functioning international co-operation in criminal matters;…
19
The process of ratification in Australia is still underway and the level of cooperation envisaged by the
treaty is aspirational at best.
1.7
Significance of the problem
Globally, phishing and related cybercrime is responsible for annual losses of billions of US dollars.
Gartner reported more than five million United States consumers lost money to phishing attacks in
the 12 months ending in September 2008. They have estimated the losses in the United States to
phishing were over USD$7.5 billion between September 2005 and September 2008 (Gartner 2009),
going from USD$1.2 Billion in 2003/2004 to USD$1.7 Billion in 2007/2008.
According to figures from the UK payment clearing association APACS, fraud losses to UK banks from
Internet banking fraud from 2004 to 2009 totalled £203 million, going from £12.2 Million in 2004 to
£59.7 Million in 2009 (APACS 2010). In a report for the United Kingdom’s Cabinet Office, Dettica
(2011) estimated the cost of cybercrime to the UK economy was £27 Billion per annum, with online
fraud accounting for £1.4 Billion.
Australian banks do not publish figures on their losses to Internet banking fraud. However, in 2008
the Australian Bureau of Statistics estimated that 57,800 Australians had been victims of Phishing
and related crime during 2007. Galaxy Research (working on behalf of security vendor VeriSign)
estimated that one in ten Australians had lost an average of AUD$1000 to online identify theft in the
twelve months to July 2010. They estimated the total Australian losses in that period at AUD$1.286
Billion (Moses 2010).
Law enforcement agencies are well aware of the significance of the problem. Assistant
Commissioner Neil Gaughan, the head of the Australian Federal Police’s High Technology Crime
Operations, stated on the ABC’s 7.30 report in October 2010:
The amount of crime taking place in the cyber world is much … greater than what we are
seeing now in the real world based on the fact there's less chance of detection. (Australian
Broadcasting Corporation 2010)
While the losses associated with Phishing may not seem significant in global financial terms, there is
a concentration of offenders, and the profits for the individuals are considerable given the minimal
risk and effort involved in the crime. For instance, compared to criminals involved in the drug trade,
there is little investment or risk associated with the activity. The return is easily converted to cash,
which is easily laundered once it leaves Australia. There is no upfront investment for Internet
money mules as they are funded via the proceeds of the frauds. Also, many of the criminal
associations can be at a safe distance or largely anonymous, thus limiting exposure to informants
and undercover operations. In late 2009 and early 2010, agents from the Australian Federal Police
ran an undercover operation against an offender based in Russia. The agents took the role of an
Internet money mule and received over AUD$1 million from fraudulent transactions. Agents tried at
first to draw the offender into a friendly jurisdiction to make an arrest but ultimately applied to the
Russian authorities to start a prosecution. After some early optimistic signs from their Russian law
enforcement contacts, nothing more was heard (Dix 2010).
20
1.8
Overview of Problem
Internet bank Phishing and related cybercrime has been a recent phenomenon dating from 2003.
Phishing itself is defined by the Anti-Phishing Working Group as a form of online identity theft that
employs both social engineering and technical subterfuge to steal victims' personal identity data and
financial account credentials (APWG 2010). Related cybercrime is defined here as the various
activities that support phishing. This includes the construction of infrastructure such as botnets, the
acquisition of spam lists, research and development of content to trick users, development of
malware to capture passwords, Distributed Denial of Service (DDoS) attacks on response
organisations and the recruitment and management of Internet money mules.
1.9
Cybercrime outside of Eastern Europe
Cybercriminals are not just an Eastern European phenomena. There are active individuals and
groups in many countries including Australia. While Australian hackers famously compromised NASA
back in the 1989 and even Wikileaks’ founder Julian Assange was arrested for hacking in 1991,
cybercriminals in Australia and other Western countries are far more likely to come under notice of
law enforcement and be arrested. As a result, much activity is at least directed from outside of
Western countries.
1.9.1 Brazil
Brazil has an active hacker community (Glenny 2008) and indeed phishing of Brazilian banks has a
long history. These groups, however, do not seem to have targeted Australian institutions and seem
mainly focused on South American banks.
1.9.2 Nigeria
Nigeria is the home of the “419 scam” or advance fee fraud. It is an example of where a physical
world crime has turned cyber and in the process gained from the efficiencies and scope of
information technology and the Internet. Nigerian letters were originally physical letters mailed
using the normal postal system to people to try and trick them into sending money as a transaction
fee to release a larger amount back to them. What began as a resource-intensive process has
become, with the advent of email and spam lists, highly efficient. Australia is no stranger to this
fraud, with Queensland police investigations identifying in 2010 that a majority of Western Union
transactions from Queenslanders to Nigeria were these frauds (Hay 2010). Nigerian groups are
believed to be involved in phishing attacks on Australian banks in more recent times but figures of
money flows show that Eastern Europe gets the majority of the proceeds of phishing (See Chapter
2).
1.9.3 China
China is well known for hacker attacks and as a major source of spam. The most prominent hacking
activities are site defacements perpetrated both manually and via malware such as Code Red in
2003, and cyber-espionage against dissident groups and sources of industrial secrets (Krekel 2009).
Despite this, there are no indications that Chinese groups have targeted Australian banks for
phishing.
21
1.9.4 Other
The largest group of trained hackers resides in the United States and a number of recent convictions
involving individuals from Eastern Europe also involved United States based conspirators such as in
the RBS Worldpay case (Menn 2010a). However, the chance of detection and prosecution in the
United States is considerably higher than in most countries due the FBI’s and Secret Service’s
cybercrime divisions being able to investigate the offences in many cases completely within their
own jurisdiction.
1.10
Literature Review
The literature on phishing and related cybercrime comes from a number of disciplines. Most
significantly, scholars from computer science and information systems have looked at various
technical aspects of phishing and suggested numerous technical solutions. However, some papers
from other sources have looked at human factors, economic and other non-technical aspects of the
problem.
1.10.1 Phishing Attacks
Much early work in the computing field looked at the nature of the basic attack (Jakobsen 2005;
Dhamija 2006). Other work monitored the developments in phishing over time (Ramzan 2007).
More recent work has documented various technical developments such as fast flux networks
(Passerini 2008; Holz 2008) used to host phishing sites and other phishing infrastructure. Other
recent work has focused on the specific examination of malware (“crimeware”) in the wild (Holz
2008). Pharming, the poisoning of DNS for phishing, has also been examined (Karlof 2007). Jagatic
(2007) demonstrated phishing attacks where the alleged source is known to the victim, known as
“Social Phishing”, have a higher degree of success. This research in an associated paper also
illustrated some of the ethical issues in tricking research participants to do this type of research in
the first instance (Jagatic 2007a).
1.10.2 Technical Phishing Countermeasures
Significant work has been done in proposing various technical techniques to counter phishing
(Jakobsen 2005; Plössl 2005; Topkara 2005; Miyamoto 2005; Susilo 2006; Florêncio 2006; Pamunuwa
2007; del Castillo 2007a; Moura 2009; Devarakonda 2010). Other research has examined a number
of these solutions and other commercial phishing countermeasures and questioned their
effectiveness (Dhamija 2006; Florêncio 2006; Moore 2007; Jackson 2007; Ludl 2007).
1.10.3 Detecting Phishing E-mails
There has been considerable research in exploring various techniques to detect phishing emails as a
component of phishing countermeasures (Chandrasekaran 2006; Chandrasekaran 2006a; del Castillo
2007; Abu-Nimeh 2007; Basnet 2008; Gansterer 2009; Dazeley 2010). This work looked at various
features which could identify phishing email from legitimate e-mail including email content,
metadata and source. While many of the techniques described had high degrees of success, none
were a complete solution for phishing emails. This is because phishing emails themselves are often
based on legitimate emails sent by financial institutions, thus subject to high levels of false positives
and false negatives.
22
1.10.4 Phishing Attribution
While much research has been conducted in regard to detecting whether an email is phishing or not,
less has been done to attribute those identified phishing emails to a particular group or person.
Following on from email authorship analysis research, some work has been done on attribution of
phishing by various methods. James (2005) reported that 48 distinct phishing groups were identified
by analysing the nature of the phishing emails and the phishing websites over two years.
1.10.5 Human Factors
Other computing researchers have looked at the human factor in terms of the victims (Hutchings
2009; Dhamija 2006) and Internet money mules (Florencio 2010). Research by Hutchings indicates
that potential victims who undertake high levels of routine activities relating to computer use and
internet banking use are more likely to be attacked by motivated offenders. However, other
research has found victims do not appear to have common demographic characteristics (Dhamija
2006). Research into Internet money mules found that combating them is central to reducing
phishing, as their availability is a key weakness in the Phishing attack model (Florencio 2010).
1.10.6 Significance of Phishing
While most of the research has worked on the assumption that Phishing is a significant problem,
some research has questioned that position because some estimates used to show the significance
may have some methodological issues (Herly 2008). However, this alternate argument is not
supported by the vast majority of data available.
1.10.7 Phishing and Cybercrime Economics
Some research has been conducted, exploring the business model of phishing. Abad (2006) was first
to describe the economy of phishing. He explored the importance of markets that supply all the
tools and services to commit phishing attacks and launder the proceeds. Through the examination
and monitoring of keyloggers and drop zones, more was learnt about the underground economy
(Holz 2008). Kshetri (2009, 2010) outlines the externality mechanisms and feedback systems
increasing the return in cybercrime activities (see figure below). While not specifically identifying
Eastern European countries or phishing, he identified many of the features of phishing by EECGs.
Choo (2008) similarly looks at the operation of cybercrime groups correctly observing,
Extraterritoriality, the notion that the internet has no geographic boundaries, has driven the
e-commerce revolution. Unfortunately, organised crime groups operate online under the
same free market principles, while legislative and law enforcement endeavours launched
against them suffer from geographical and cultural restrictions (Choo 2008).
Detica (2011), in their report on the cost of cybercrime for the UK Cabinet, developed a causal model
of the cyber criminal underground economy to address the complexity of cybercrime (See Figure
1.3) which similarly identified many of the features of phishing by EECGs. Kshetri (2010a) also
outlines the structure of cyber crimes in developing economies, in which he includes Russia, Ukraine,
Poland and Romania, recognising that the nature of developing nations creates a favourable
environment for cybercrime. He also cites a number of sources (mostly anti-virus vendors) who use
23
various methodologies to identify significant countries in terms of cybercrime in which both Ukraine
and Russia are listed.
Figure 1.3: Externality mechanisms and feedback systems producing increasing return in cybercrime related activities
(Kshetri 2009).
Figure 1.4: Causal model showing cyber criminal underground economy (Detica 2011).
24
1.10.8 Attacker Profiling
Other work has looked at attacker behaviour (Birk 2007; Carr 2010). One approach was to examine
online forums where hackers meet. There a degree of profiling on participants was conducted (Holt
2009, 2010). The majority of those examined were from Russia, in particular Moscow and to a lesser
extent St Petersburg. While the conclusions of this work are limited due to the fact that an
assumption is made on the significance of those studies to the broader cybercrime problem, it is still
instructive in understanding the profile of those involved in some of the attacks on Western banks.
Identified groups are well connected, and particularly “threatening hackers” are densely connected.
The demographic features of the hackers were that they were mostly male (nearly 99%), primarily
from, as stated, Russia (52%) but also with significant numbers from the Ukraine (6.6% second
highest identified location). The great majority (70%) were considered low risk (Holt 2009, 2010).
1.10.9 Phishing in the Context of Russian Organised Crime
Other research focused on Russian organised crime makes mention of cybercrime and even phishing
but often with limited specifics (Zenz 2007, 2008; Carr 2010). Galeotti (2006, 2009) has made the
link between Russian organised crime and phishing in a number of articles for Janes Intelligence
Review. Menn (2010), in his book Fatal System Error, a case study of DDoS blackmail of gambling
websites by various Eastern European gangs, indicates groups moved on to carding and phishing
when that blackmailing activity became less profitable in the mid 2000s.
1.11
Conclusion
This chapter has set out the aims and scope of the study, and the structure of the thesis. The
background of the problem has been explained from a historical, political, technical and legal
perspective. An overview of the problem has been provided and cybercriminals outside of Eastern
Europe also surveyed. Finally this chapter has reviewed the major literature on phishing. The next
chapter considers the role of money laundering in phishing, Internet money mules, and examines
new data showing the significance of Eastern Europe as the destination of the outgoing proceeds of
phishing attacks.
25
Figure 2.1: Heat map of blocked Western Union transactions from Australia by Country (October 2004 to December 2005,
October 2006 to March 2007 and January 2009 to November 2010)
Chapter Two
Phishing, Internet Money Mules and Related
Cybercrime
26
CHAPTER TWO: PHISHING, INTERNET MONEY MULES AND RELATED
CYBERCRIME
2.1
Introduction
This chapter looks at the phenomenon of Internet money mules and the important role they take
within the Phishing attack model. It also looks at the broader money laundering aspects of Phishing
and examines new data showing the international destinations of transactions relating to the
proceeds of Phishing attacks on Australian banks.
Phishing is a crime which, while very much based in modern information technology, does rely for its
ultimate success on a more established crime-money laundering. Money laundering is the key to the
success of any phishing attack and without it the attackers realise no benefit. It is widely accepted
there are three stages in money laundering: placement, layering and integration. Placement is
where the proceeds of crime are placed within the financial system. Layering is where those
proceeds are separated from their source by layers of transactions, which disguise the ownership of
funds and makes them more difficult to trace. Integration is where the proceeds of crime re-enter
the financial system as apparently legitimate funds (Deitz 2006).
Russian organised crime in particular has a history of successful money laundering activities,
particularly since the 1990s. The US Government estimated that from 1992 till the late 1990s more
than $80 Billion in US currency, the proceeds of crimes committed by the US arm of Russian
organised crime, was expatriated using a regular Delta Airlines flight from New York to Moscow
(Friedman 2000).
2.2
Anatomy of Internet Bank Phishing
Phishing and related cybercrime may have changed significantly in their technical nature since 2003,
but the underlying anatomy has barely changed. While the exact method of compromise has varied,
once the compromise has occurred the subsequent steps have been consistent. Once the attacker
has the users’ credentials and can transact on their account, they will move the money to a third
party, known as an Internet money mule, who holds an account in the country where the fraud
occurs and receives a fee for handling the transaction. This step can be automated rather than
manual as with the banking Trojan Zeus, but essentially the process remains the same. The Internet
money mule is then managed by what is referred to as an “executive” (Menn 2010) who will contact
them once the money is deposited into their account and get them to draw it out in cash and then
wire it overseas via Western Union or Moneygram with minimal delay. This method breaks the
transaction up so tracing by the bank ends or at least is delayed with the Internet money mule. If
the phishers were to use a normal bank-to-bank transfer, the transaction could be easily identified
and may well be stopped or recovered by the investigating bank. Once wired (often as not to
Eastern European locations as this research indicates), the money is picked up in local currency by
what can be called “local money mules”. These individuals pick up the proceeds from Western
Union in cash. In Eastern Europe, carrying cash for others is a very normal business. The proceeds
of the crime ultimately end up in the hands of the phishing organisers, either directly or by a system
of factoring where the value of the fraud is sold on the cybercrime marketplace (See Chapter 4).
With the Internet banking fraud now complete, the Internet bank involved easily identifies the
Internet money mule and recovers the 8-10% fee that the Internet money mule was to keep as their
27
payment. The mule may then be subject to prosecution if it can be proven that they laundered the
proceeds of crime but this generally requires them to have the requisite guilty knowledge or at least
be reckless to the fact. However, the Internet money mule is merely a dupe and is expendable as
long as the phishing organisers can recruit new Internet money mules, and so their prosecution is of
little consequence to the organisers.
In terms of the steps in money laundering, described above, placement is where the funds are
moved from the victim’s account to the Internet money mule’s account. Layering then occurs when
the mule withdraws the money in cash and then wires it via Western Union or Moneygram. At this
point we do not really see integration but presumably after the money is withdrawn from Western
Union outside of Australia it is ultimately returned to the financial system.
2.3
Evolution of Internet Money Mules
The use of Internet money mules was developed to assist cybercrime groups to repatriate their
funds from countries where they had no physical presence. Their genesis can be traced to 2003
when Internet bank phishing started (McCombie 2008). A few early phishing attacks were able to
use International funds transfer functionality, such as Westpac’s system in 2003, within Internet
banking sites to send funds directly to Eastern Europe but banks quickly closed down this channel or
manually monitored each and every transaction (see Chapter 3). Internet money mules themselves
are recruited by email, web and instant messaging to what, on the face of it, is a legitimate job as an
agent of some sort who is needed to be able to receive payments into a bank account either existing
or created for the purpose of the “job”. Figure 2.2 below from the Australian Federal Police explains
the process of recruitment.
Figure 2.2: Mule Recruitment (Australian Federal Police 2008)
28
2.4
Profile of Internet Money Mules
To better understand phishing and related cybercrime, a detailed examination of the profile of
Internet money mules was conducted. For the year 2007, 886 individual cases of Internet money
mules identified from one Australian financial institution were examined. Each case involved an
Internet money mule receiving fraudulent funds from the proceeds of phishing into their bank
account. This research used data gathered by bank investigators in the process of investigating
those frauds and, as such, the data is largely reliable. In each case the age, sex and postcode of
each Internet money mule were given. Other details were withheld to protect the privacy of the
individuals. In addition, whether the case was a second or subsequent case involving the same mule
was established. In many of these repeat cases the Internet money mule may well be aware what
they were doing is not a legitimate job as they have typically already been contacted by bank
investigators or law enforcement and informed of the nature of the scam. This profiling, described
in detail in section 2.7, indicated males were vastly over represented when compared to Australian
Bureau of Statistics (ABS) figures of Internet users. In particular, males in the 25-34 age group were
significantly greater in percentage terms in the population of Internet money mules than as Internet
users (as Figure 2.3 shows).
Figure 2.3: Percentage breakdown of males and females by age groups from ABS statistics on Internet users compared to
Internet Money Mules
2.5
Analysis of Money Flows
2.5.1 The Joint Banking and Finance Sector Investigation Team (JBFSIT) and
Transaction Blocking
In July 2003 the Australian Federal Police in conjunction with the state police forces established the
Australian High Tech Crime Centre (Australian Federal Police 2010). One of the first challenges they
faced was Internet bank phishing with the first attacks on Australian banks in March, April and July
2003. The first director of the AHTCC, Alastair McGibbon, working with the banks came up with an
original approach to deal with phishing. A specialised team was established using staff seconded
from a number of the victim banks along with police investigators. It was called the Joint Banking
29
and Finance Sector Investigation Team (JBFSIT). This team’s single focus was to deal with phishing
against Australian financial institutions. By 2004 it was working with victim banks to block
fraudulent transfers via Western Union and Moneygram. Typically an Internet fraud would be
committed and an Australian Internet money mule would be identified either by the victim bank or
JBFSIT investigators. Given the speed of the transaction, those funds would typically already been
transferred to another country and the money gone. Investigators would then identify the
international recipient. Police would then contact Western Union or Moneygram to block any
subsequent transactions to that identified recipient. Thus subsequent transfers to those recipients
would be blocked and they would no longer remain useful to launder proceeds of phishing. Data
detailing each time such a block occurred by JBFSIT has been obtained by researchers including the
transaction date, the country and in a majority of cases the city. This data provided to researchers
covers the periods October 2004 to December 2005, October 2006 to March 2007 (no city data) and
January 2009 to November 2010. In total, 1416 transactions were blocked and details recorded.
2.5.2 Analysis
The data was broken down by timing, destination country and in many cases destination city. It is
therefore a highly useful indicator of where the proceeds of this crime end up. There is a possibility
that the country it is sent to is not its final destination and the proceeds are further laundered from
there. However, it remains self evident that if a significant portion goes to Eastern Europe in the
first instance, groups responsible for this part of the process have a strong nexus to that part of the
world.
2.5.2.1
By Country
Analysis of the data by country clearly indicates the prominence of Eastern Europe as the destination
of transactions, particularly Russia. If the data is analysed by year, it is evident that Russia has
consistently been the highest recipient country with a total of 607 transactions accounting for
42.87% of the total. Ukraine takes overall second place with 139 transactions accounting for 9.82%
of the total but its significance has varied over time. Third place is Nigeria with 121 accounting for
8.55%, it is known for “419 scams” or “Nigerian letters” but also is a source of some phishing. It has
become more significant recently, ranking second in 2010. Fourth place is the United Kingdom with
86 accounting for 6.07%, coming in second for the period 2006-2008. The next three places are
taken by countries which were all part of the former Soviet Union: Tajikistan, Latvia and Estonia.
Figure 2.6 shows the ethnic Russians in other parts of the former Soviet Union (CIA 1994). These
three countries have significant Russian ethnic populations. While these three countries are well
down the list, if the figures are looked at in comparison to their population they are the three most
significant, with Estonia having 30.9 transactions per million of population contrasting with Nigeria
which has only 0.8 transactions per million of population. Russian organised crime groups such as
Tambovskaya (Tambov) in the 1990s expanded into the Baltic and northern Europe, establishing
operations in Estonia, Latvia and Lithuania. Latvia has been identified as base for Russian Phishing by
St Petersburg organised crime groups such as Tambov (Galeotti 2005). If we are to look at those
countries, which were parts of the former Soviet Union, they represent some 66%, or 791, of the
total. The data shows a clear nexus to that part of the world, which has remained consistent from
2004 to 2010.
30
Table 2.1: Blocked Internet Transactions by Country (October 2004 to December 2005, October 2006 to March 2007 and
January 2009 to November 2010)
Blocked Transactions
2006Country
2004
2005 2008
Russia
35
71
104
Ukraine
18
32
14
Nigeria
1
10
United Kingdom
2
13
24
Tajikistan
Latvia
16
27
15
Estonia
14
19
7
Poland
2
8
Singapore
2
20
South Africa
Germany
6
13
Czech Republic
6
7
2
Philippines
17
Malaysia
2
1
Moldova
7
Israel
13
United States of
America
1
3
2
Other < 10
13
27
8
Totals
113
250
219
*Population source: CIA Factbook July 2010
estimate
2009
121
67
65
19
55
14
10
1
4
7
6
16
385
2010 Total
276
607
8
139
45
121
28
86
25
80
58
40
16
40
22
11
21
1
20
3
19
17
8
15
14
13
1
27
449
13
91
1416
Transactions
Per Capita
(1 Million)*
Percentage
4.35468
42.87%
3.06062
9.82%
0.79492
8.55%
1.37934
6.07%
10.68449
5.65%
26.15005
4.10%
30.97965
2.82%
1.03994
2.82%
4.67979
1.55%
0.42762
1.48%
0.24306
1.41%
1.86243
1.34%
0.17017
1.20%
0.53051
1.06%
3.24263
0.99%
1.76775
0.92%
0.04190
0.92%
6.43%
100.00%
Figure 2.4: Heat map of Blocked Internet Transactions by Country in Europe (October 2004 to December 2005, October
2006 to March 2007 and January 2009 to November 2010)
31
Figure 2.5: Pie Chart of Blocked Western Union transactions by Country (October 2004 to December 2005, October 2006 to
March 2007 and January 2009 to November 2010)
2.5.2.2
By City
For the periods in 2004, 2005, 2009 and 2010 the city associated with the transaction was also
recorded (911 of the 1196 for these periods) and this provided even greater context to the
transaction. The prominence of some cities over others, such as St Petersburg over Moscow, in the
Russian figures is of particular interest given other research about the St Petersburg organised crime
group Tambov and their activities centred on that city (McCombie 2009; Galeotti 2009).
32
Figure 2.6: Ethnic Russians in other parts of the Former Soviet Union (CIA 1994)
33
Table 2.2: Blocked Internet Transactions by City (October 2004 to December 2005 and January 2009 to November 2010)
City
Blocked Transactions
2004-2005
2009-2010
Total
Percentage of
Total
Transactions Per
Capita
(1 Million)*
57
319
376
41.27%
81.73422638
Dushanbe
0
61
61
6.70%
87.74453395
Lagos
0
54
54
5.93%
5.684210526
London
3
36
39
4.28%
5.118244573
Riga
30
0
30
3.29%
42.46807462
Kiev
7
22
29
3.18%
16.84319105
Warsaw
1
21
22
2.41%
12.81412816
Mykolayiv
15
7
22
2.41%
18.49491726
Moscow
10
4
14
1.54%
1.325376279
Novosibirsk
0
11
11
1.21%
7.806196275
Odessa
0
10
10
1.10%
4.182311999
Pretoria
0
10
10
1.10%
9.054042675
Tallinn
10
0
10
1.10%
25.08818497
Saint Petersburg
Other < 10
223
Total
911
*Population source: http://www.citypopulation.de and United Nations Population Division
Department of Economic and Social Affairs
34
Figure 2.7: Blocked Internet transactions by City (October 2004 to December 2005 and January 2009 to November 2010)
2.5.3 Selected City Profiles
2.5.3.1
St Petersburg
St Petersburg accounted for 376, or 41%, of the total transactions where data for the city was
available. This was the highest by a factor of six and second highest per capita, with 81 transactions
per million of population. St Petersburg is known as a hub for criminal activity.
In reference to St Petersburg, the Europol 2009 EU Organised Crime Threat Assessment stated:
St Petersburg is an important logistical nexus, feeding the North East (Organised Crime)
hub. It amasses various (illegal) commodities, which are then re-directed to the Russian,
Nordic, Baltic and Western European markets. (Europol 2009)
35
Figure 2.8: St Petersburg, the North East Criminal Hub (Europol 2009)
St Petersburg is a power base of the well connected Tambov gang (see Chapter 3). St Petersburg is
Russia’s former Tsarist capital on the Baltic, a major tourist attraction and Vladimir Putin’s former
home and location of his early days in local politics. Galeotti in a recent article in a Janes Intelligence
Review, noted in regard to Tambov and St Petersburg,
[Tambov’s] deep penetration of the St Petersburg, and therefore Russian, economy has
helped ensure the Tambov network also has the means and opportunity to engage in a
wide range of financial crimes. … the Tambovskaya may be looking to expand its moneylaundering operations, which could also make it the major provider of these services in
Russia. (Galeotti 2009)
In contrast, Moscow, the largest city in Russia and its capital, only represents 14 transactions, or
fewer than 2% of the total. This further demonstrates the significance of St Petersburg as a major
hub for this money laundering activity in Russia, and indeed globally.
2.5.3.2
Dushanbe
Dushanbe is the capital of Tajikstan and accounting for 61 or 7% of the transactions. It was also the
highest per capita with 87 transactions per million of population. It only appeared in figures for
2009-2010 so its importance would appear to be a more recent phenomenon and it may have
replaced other States of the former Soviet Union that are now members of the European Union
and/or NATO and thus less attractive due to links with Western law enforcement.
2.5.3.3
Kiev
Kiev is Ukraine’s largest city and capital, it accounts for 29, or 3%, of the transactions and per capita
it has 16 transactions per million of population. Its population belongs primarily to the Russian
speaking minority.
2.5.3.4
Odessa
Odessa is Ukraine’s second city after Kiev, accounting for 10, or 1%, of the transactions and four
transactions per million of population. Its population belong to the primarily Russian-speaking
36
minority. It is also the registered address of Alexander Mozhey and other Ukrainians who were
involved in the first phishing attacks on Australia in 2003 (see Chapter 3).
2.5.3.5
Mykolayiv
Mykolayiv is a smaller city in the Ukraine near Odessa with 22 transaction, or 2% of the total
transactions. and was third highest per capita with 41 transactions per million of population. During
the late 1990s, Mykolayiv was considered the Ukraine's hard-drug capital (Evans 2007). Mykolayiv is
in the primarily Russian-speaking eastern part of the Ukraine.
2.5.3.6
Riga
Riga is the capital of Latvia with 30, or 3.29%, of the total transactions and was third highest per
capita with 41 transactions per million of population. Latvia has a large ethnic Russian population
and has the influence of Russian organised crime groups as described above (Galeotti 2005). It only
appears in the figures from 2004-2005 so seems to no longer be used as a drop-off point for these
transactions. One potential cause may be that, after joining the European Union and NATO in 2004,
transactions have been brought under closer surveillance by local authorities working co-operatively
with Western law enforcement.
2.6
Conclusion
This chapter has looked at the phenomenon of Internet money mules and the important role they
take within the Phishing attack model. It examined the broader money laundering aspects of
Phishing and analysed new data showing the destination of transactions relating to the proceeds of
phishing attacks within Australia has a strong link to Russia, Ukraine and Eastern Europe. The
prominence of Eastern Europe in these transactions is clear and consistent. The prominence of St
Petersburg in particular is of note given its links to Tambov and money laundering. In the next
chapter, we will look in detail at those first Internet bank phishing attacks in 2003, what we can learn
about their source and the methodology of the attackers, and how this changed the crime paradigm.
We will also look at what makes Eastern Europe particularly suited to this activity. These factors
include an organised crime tradition, high education levels, high corruption perception and a large
Internet-connected community.
2.7
References
Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An Australian
Perspective. Proceedings of the 2009 Symposia and Workshops on Ubiquitous, Autonomic and
Trusted Computing, IEEE Computer Society: 482-487
37
Symposia and Workshops on Ubiquitous, Autonomic and Trusted Computing
A Preliminary Profiling of Internet Money Mules:
An Australian Perspective
Manny Aston, Stephen McCombie, Ben Reardon, Paul Watters
Cybercrime Research Lab, Macquarie University
[email protected], [email protected], [email protected],
[email protected]
Abstract
banking website [8]. The criminals then use these
credentials to log onto the victims accounts and
illegally withdraw funds.
While the criminals can easily access Internet Banks
and perform transactions from the other side of the
world they cannot necessary get the money into their
own hands so easily. Some early Internet fraud used
the Overseas Telegraphic Transfer (OTT) functionality
of some Internet Banks to repatriate the fraudulently
obtained funds directly to other countries. However
the Internet Banks with this facility quickly began to
limit this functionality or tightly scrutinize any
transactions that did occur looking for suspicious
recipients and the countries being used by criminals to
receive funds. This created a problem for the criminals
- how to get the money out of the victims’ country.
Out of this problem the “Internet money mule” was
born. One of earliest known cases was in Australia.
On Monday 17 March 2003 an email was sent out
purporting to be from “admins at Commonwealth
Bank” directing customers to a Florida hosted copy of
the Commonwealth Bank Of Australia website, which
is now known as a phishing site. A number of
customers gave up their credentials to the website.
Shortly after the credentials were used to transfer
money to the account of a Tasmanian man who had
been recruited on a Croatian Community website to
receive the money and then transfer it to Eastern
Europe. The Australian Federal Police subsequently
arrested this man when he tried to draw some of the
fraudulently obtained funds out of his own account.
The man escaped prosecution at the time as he claimed
he was unaware that the moneys were illegally
obtained [7].
When the Internet fraud is investigated the Internet
money mules are generally easily identified and any
fraudulently obtained funds that may have been kept as
the “commission” fee are recovered. It does not matter
whether the Internet money mule is fully aware of the
crime being committed or ultimately is just an innocent
Along with the massive growth in Internet
commerce over the last ten years there has been a
corresponding boom in Internet related crime, or
cybercrime. According to research recently released by
the Australian Bureau of Statistics in 2006 57,000
Australians aged 15 years and over fell victim to
phishing and related Internet scams. Of all the victims
of cybercrime, only one group is potentially subject to
criminal prosecution: ‘Internet money mules’ – those
who, either knowingly or unknowingly, launder money.
This paper examines the demographic profile –
specifically age, gender and postcode – related to 660
confirmed money mule incidents recorded during the
calendar year 2007, for a major Australian financial
institution. This data is compared to ABS statistics of
Internet usage in 2006. There is clear evidence of a
strong gender bias towards males, particularly in the
older age group. This is directly relevant when
considering education and training programs for both
corporations and the community on the issues
surrounding Internet money mule scams and in
ultimately understanding the problem of Internet
banking fraud.
1. Introduction
With the massive growth in Internet commerce in
the last ten years there has been a corresponding boom
in Internet crime. Criminals are using the borderless
Internet to reach far from their home countries. Since
2003 a large portion of this crime has been fraud
against Internet banks and their customers. Criminals
compromise users credentials for various Internet
Banks capturing their credentials by either getting the
user to visit a fake banking site called a Phishing site
or by using some malicious computer code (called a
Trojan or crimeware) placed on the victim’s machine
to capture those details when victims go the real
978-0-7695-3737-5/09 $25.00 © 2009 IEEE
DOI 10.1109/UIC-ATC.2009.63
482
38
agent as they rarely benefit from the crime. The
criminals that recruit them do not care as the mules
have served their purpose and pose no threat to the
criminal enterprise. Thus in most cases the Internet
money mules are expendable dupes for overseas
criminals.
There is little meaningful data to show the extent of
the problem of Internet money mules in Australia. A
recent data source in regard to fraud more generally in
Australia is the Australian Bureau of Statistics (ABS)
Personal Fraud Survey [2], conducted throughout
Australia during July to December 2007. According to
the survey a total of 806,000 Australians aged 15 years
and over were victims of at least one incident of
personal fraud in the 12 months prior to interview. This
equated to a victimisation rate for personal fraud of 5%
of the population aged 15 years and over. There were
453,100 victims who lost money in the 12 months prior
to interview, incurring a combined financial loss of
almost one billion dollars ($977 million). Of the
victims who lost money to personal frauds, the median
financial loss was $450 per person, while the mean loss
was $2,156 per person.
While no other demographic research is available
for incidences of Internet money mules there is data
relating to fraud offenders more generally. In 2007
international tax and audit consultancy, KPMG,
selected 360 cases of white collar fraud against the
company identified by its own forensic division for
analysis. Their findings were published in the "Profile
of a Fraudster Survey 2007." [6] The survey concluded
that in the corporate world, 70 per cent of white collar
crimes are committed by people between 36 and 55
years; over 80 per cent of fraudsters are male; and
members of senior management, including board
members represent 60 per cent of all fraudsters. While
Internet money mules are not necessarily fraudsters per
se they may share some of the characteristics of them.
This paper examines the demographic profile –
specifically age, gender and postcode residence – of
660 cases of confirmed money mule incidents during
the calendar year 2007, for one major Australian
financial institution. We compare them against 2006
ABS statistics of Internet usage [1] using as a null
hypothesis the assumption that the age, gender and
state of residence of money mules will mirror that of
general Internet usage.
for onward forwarding to the overseas based criminals
[9]. These criminals advertise for Internet money
mules through spam email, Internet messaging and
both fraudulent and legitimate employment web sites.
They claim to be legitimate employment opportunities
with mules receiving between 7% to 10% of funds
transferred via their accounts as a commission.
In Western Australia, the Department of Consumer
and Employment Protection’s ‘WAScamNet’ database
recorded 1,709 employment and money mule email
offers reported by consumers in October 2006 alone.
This was 59 percent of all scam emails reported. This
category represented the largest category of scam
emails reported to the Department each month [3].
3. Anatomy of an Internet Banking Fraud
Figure 1 shows the relationship of the money mule
to Internet banking fraud, and is an example of a
typical Internet banking fraud. The first Phase in the
Internet banking fraud involves the criminal sending a
phishing email or Trojan infected or lure email to
thousands of potential victims. A small percentage of
those receiving a phishing email actually respond,
usually by confirming their account details or in the
other case are infected with a Trojan and have these
details compromised when they conduct a real session
with their Internet bank (Phase 2). Our victim in this
example has ‘clean money’ (c$) in their bank account.
According to the ABS [2] in 12 months over 5.8
million Australians were exposed to phishing emails
(this involved people receiving and viewing or reading
an unsolicited invitation, request, notification or offer,
designed to obtain their personal information or money
or otherwise obtain a financial benefit by deceptive
means), and of those 5.7% (or 329,000 people) became
victims by responding to the scam by supplying
personal information, money or both, or seeking more
information.
In Phase 3, the potential mule is approached with a
job offer, which is usually advertised by unsolicited
spam email, Internet messaging and both fraudulent
and legitimate employment web sites. Mules are
recruited using job titles such as “Financial Managers”,
“Representatives”, “Agents” or the like, and are
typically promised a 7-10% fee for transferring funds.
In order for the transfer to take place mules need to
supply their current bank account details or if they
choose set up a new account for this purpose supply
those details (Phase 4). In Phase 5 the criminal
transfers money from a compromised bank account
into the mules account. The mule, simply doing what
their ‘job’ requires, transfers this ‘dirty’ money (d$) –
minus their fee – via financial transfer services such as
2. A Background to Internet Money Mule
Scams
Online criminals who conduct phishing and Trojan
attacks need Internet money mules to receive the
fraudulently obtained funds into their bank accounts
483
39
Western Union to an overseas address (Phase 6). The
Internet banking fraud now complete typically the
Internet bank involved identifies the Internet money
mule and recovers the fee from the mule. The mule
may then be subject to prosecution if it can be proven
that they laundered the proceeds of crime however this
generally requires them to have the requisite guilty
knowledge or at least be reckless to the fact.
The ABS Patterns of Internet Access in Australia
Survey 2006 data represents numbers of people who
have access to the Internet, based on the 2006 Census
[1].
As the Internet money mule activity referred to in
this paper involves those who have access to the
Internet it is assumed that the demographic profile of
money mules would mirror that of the general Internet
user. Another hypothesis that they may otherwise
mirror other Internet banking customers was
discounted as investigators advised many of the
Internet money mules were in fact new customers. [5]
The age categories selected were based on those
used in the ABS survey. In the data set obtained by the
financial institution there was a total of 130 people
where the age was unknown. There ages were
distributed in the sample population in the same ratio
as the distribution for those with known age as 79 male
and 51 female.
5. Results
A total of 660 accounts received illegally obtained
funds. Of these 26 were in the name of joint account
holders. For the purpose of this paper it was assumed
that both account holders were money mules making
the total number of money mules, 686. Table 1
represents the 686 money mules identified by the
financial institution. In 71 cases there were multiple
deposits made on different days.
Figure 1. Anatomy of an Internet fraud
4. Methodology
The data used in this paper has been obtained from
de-identified database material gathered by the Internet
fraud investigation team of a major Australian financial
institution. As a basis of comparison, the ABS Patterns
of Internet Access in Australia Survey 2006 [1] was
used.
The data supplied by the financial institution is
particularly relevant as it represents actual cases of
Internet money mule activity – where the mules had
willingly given their account details for the receipt of
illegally obtained funds. Unlike survey data it is not
subject to possible bias that is often evident in selfreport statistics. It also represents a complete set of
data, as it includes every case investigated by that
financial institution for a calendar year (2007). While
no doubt the financial institution’s investigation
database on money mules is extensive, the fields
supplied to the authors were less detailed to maintain
confidentiality: gender (male, female or joint account
holder), age in years (whole numbers), and postcode.
According to fraud investigators at the financial
institution, each case was entered in the investigation
database chronologically as each incident of fraud was
discovered or reported to bank staff. [5]
Table 1. Internet money mules by age and
gender by number
Of the 686 money mules, 429 were male and 257
were female (Table 1). This meant in percentage terms
males comprised 62.39% and females 37.61% (Figure
2). Of the 71 multiple instance of money mule
activity, 53 were male and 21 were female.
484
40
female mules (all other things being equal) would be
35 each. Using a Pearson chi-square analysis, 2=7.08,
df=1, p=0.0078, so there are significantly more
multiple instances male mules than female mules.
6. Discussion
Naturally there are statistical limitations to this
work however the significance of the raw data cannot
be underestimated. It is rare to obtain archival data sets
such as this, and with this in mind, we seek to find any
preliminary statistical trends and patterns, which
emerge, many which warrant further investigation.
There is a strong gender bias towards Internet
money mules being males. This is even greater when
the element of potential criminal intent is introduced
with multiple instances (In multiple instances the
mules have usually been advised the nature of the fraud
already). The bias progressively increases as the age of
the money mule increases. The proposition that males
are more prone to this type of risky endeavour is partly
supported by the KPMG Survey [6], which indicated
that in 85 percent of profiles fraudsters were male.
However this survey was heavily influenced by frauds
against the company often by insiders who were senior
management or executives (roles where men often
predominate).
Figure 2. Percentage break down of males and
females from ABS statistics on Internet users
compared to Internet Money Mules
5.1. Categorical Analysis of Mule Data
5.1.1. Sex Differences. The expected occurrence of
male and female mules (all other things being equal)
would be 343 each. Using a Pearson chi-square
analysis, 2=21.91, df=1, p = <.0001, so there are
significantly more male mules than female mules
overall.
5.1.2. Age x Sex Differences. A Pearson chi-square
analysis was performed within the different age bands
shown in Table 1. The results are summarized below:
• < 15: 2=0.00, df=1, p = 1.00, so there are no
differences between males and females in this
age range.
• 15-24: 2=7.11, df=1, p = 0.0077, so there are
significantly more male mules than female
mules in this age range.
• 25-34: 2=5.48, df=1, p = 0.0192, so there are
• 35-44: 2=0.83, df=1, p = 0.3623, so there are
no differences between males and females in
this age range.
• 45-54: 2=1.24, df=1, p = 0.2655, so there are
no differences between males and females in
this age range.
• 55-64: 2=4.86, df=1, p = 0.0275, so there are
• 65-74: 2=6.03, df=1, p = 0.0141, so there are
• 75+: 2=3.61, df=1, p = 0.05, so there are
Figure 3. Percentage break by age group from
ABS statistics on Internet users compared to
Figure 3 shows a comparison of the financial
institutions mule data against the ABS statistics for
Internet usage across the various age categories. Of the
money mules, people between 25 and 34 represented
32.94 percent of the total, while those aged between 35
and 44 a represented 22.45 percent. Over 55 percent of
all money mules were aged between 25 and 44. The
5.1.1. Multiple Instances Sex Differences. The
expected occurrence of repeat offender male and
485
41
low representation (1.75 percent) of young people aged
between 5 and 14 (even though they are a significant
percentage of the total internet users – 17.22 percent) is
expected as it would be more difficult for minors to
open bank accounts without parental or guardian
consent.
In the 45 – 54 year old category the total number of
mules are roughly consistent with the number of
Internet users (16.65 percent versus 15.16 percent
respectively). In the over 55, 65, and 75 categories
mules are proportionally less then Internet users for the
same categories.
Figure 5. Postcodes of Internet money mules
accounts mapped on Australia
Figure 4. Percentage breaks down of males
and females by age groups from ABS
statistics on Internet users compared to
Figure 4 shows the ABS and mule data age
categories with gender highlighted. Apart from the
equal distribution of mules in the Under 15 age group,
there are significantly more males represented in every
age category of the mule data. This difference is
particularly evident in the 15 – 24 age range and in the
25 – 34 age groups. Of further interest is the complete
absence of female mules in all age groups over 65.
Figure 6. Postcodes of Internet money mules
accounts mapped on Sydney
6.1. Analysis of Mule Postcodes
Figure 7 shows the results of that comparison.
While Queensland has a very similar percentage of
mules to Internet users 20.09% to 20.69% the two most
populous and with the largest urban centres NSW and
Victoria account for a larger portion of the mules than
Internet users. With NSW being 34.76% of the mules
compared to 32.59% of the ABS Internet users and
more significantly Victoria being 33.19% of the mules
to 24.73% of the ABS Internet users. All the
remaining states and territories representing fewer
Mules than the ABS Internet users. Western Australia
In the data set supplied to researchers by the
financial institution was the postcode of the Internet
money mule accounts involved in 660 incidents in
2007. Using that data the percentage breakdown
between States and Territories was calculated.
Researchers then compared these percentages to the
2006 ABS figures for Internet users by State and
Territory.
486
42
being 6.42% of the mules compared to 10.17% of the
ABS Internet users. South Australia being 3.29% of
the mules compared to 7.49% of the ABS Internet
users. Tasmania being 0.94% of the mules compared
to 2.20% of the ABS Internet users and finally
Northern Territory being 0.16% of the mules compared
to 0.75% of the ABS Internet users.
conjunction with similar profiling such as the work by
KPMG [6].
While the size of the sample is small (some 660) it
is the first look at Internet money mules as a group and
is actual incident data rather than based on surveys.
When compared to other human factors research in the
cybercrime area such as Dhamija’s “Why Phishing
Works” [4] where the sample size was a paltry 22, the
sample is actually quite large.
The geographical data itself needs further analysis
and this will also form the basis of future research.
Whether the differences in locality between the ABS
Internet users and Internet money mule data are
significant still needs to be shown. Of particular
interest would be looking at whether there are any
differences between urban and rural communities.
The key lessons from this research and subsequent
work is to better understand Internet money mule
profiles so education can be targeted to those
individuals and to better educate bank staff to identify
those setting up accounts to be Internet Money Mules.
While this demographic data does clearly help in
this regard other profile elements need to be looked at
in future research. These could include such things as
profiling how Internet money mule accounts are
established and operated in contrast to other account
establishments.
Figure 7. Percentage break down by state and
territory from ABS statistics on Internet users
compared to Internet Money Mules
8. References
While one needs to exercise caution with drawing
broad conclusions from this it does raise the possibility
that those in populous states with large urban centres
like Sydney and Melbourne are more prone to
becoming mules. This will however require further
research to establish. Further work is currently
underway to create a heat map of these postcodes and
to examine trends between urban and rural areas of
each state and territory and of Australia as a whole. To
illustrate the potential of this future work Figure 5
maps the mule postcodes on a map of Australia and
Figure 6 on a map of the Sydney metropolitan area.
[1] Australian Bureau of Statistics, “Patterns of internet
access in Australia, 2006”, ABS, Canberra, 2007.
[2] Australian Bureau of Statistics, “Personal Fraud, 2007”,
ABS, Canberra, 2008.
[3] Australian Institute of Criminology, "Money Mules",
High Tech Crime Brief 16, 2007, Retrieved 23 March, 2008.
[4] Dhamija, R., Tygar, J.D., and Hearst, M. “Why Phishing
Works.” In Proceedings of the CHI 2006. Montréal, Québec,
Canada, 2006
[5] Interview with subject Financial Institutions Internet
Security Team (2008). Conference call phone interview.
[6] KPMG, “Profile of a Fraudster Survey 2007”, KPMG
International, Location, 2007. Retrieved 20 January, 2009.
[7] S. McCombie, "Trouble in Florida: The Genesis of
Phishing attacks on Australian Banks", 6th Australian Digital
Forensics Conference Perth 2008.
[8] S. McCombie, P. Watters, A. Ng, B. Watson, “Forensic
Characteristics of Phishing - Petty Theft or Organized
Crime?” Proceedings of WEBIST, 149-157
[9] A. Stabek, S. Brown, & P. Watters, “The Case for a
Consistent Cyberscam Classification Framework (CCCF)”,
Proceedings of the Cybercrime and Trustworthy Computing
Workshop (CTC-2009).
7. Conclusion
While this analysis is really preliminary and there is
more work to be done to fully exploit the data it
already does present a number of areas for future
research. A clear trend is the over representation of
males particularly in the 25-34 age group and in older
age ranges where males predominate. The Internet
money mule data needs to be further investigated in
487
43
Figure 3.1: Western Union Russian website 2010
Chapter Three
CASE STUDIES AND ETHNOGRAPHIC
FEATURES OF EASTERN EUROPEAN
CYBERCRIME
44
CHAPTER THREE: CASE STUDIES AND ETHNOGRAPHIC FEATURES
OF EASTERN EUROPEAN CYBERCRIME
3.1
Introduction
The previous chapter looked at the role and profile of Internet money mules, money laundering and
examined new data on money flows out of Australia relating to the proceeds of phishing. Eastern
Europe figured heavily in those transactions, particularly Russia, the Ukraine and other countries
that were part of the former Soviet Union. This data is corroborated by a number of case studies
including the first attacks on Internet banks in 2003 (See section 3.8). This chapter looks in detail at
those first Internet Bank phishing attacks, what can be learnt about their source and the
methodology of the attackers, and how this changed the crime paradigm. It also examines what
makes Eastern Europe particularly suited to this activity; factors which include an organised crime
tradition, high technical education levels, a high incidence of corruption and a large Internetconnected population. This chapter also examines the background of the Russian Federal Agency for
Government Communications & Information, which appears to have aided the rise of EECGs.
3.2
Genesis of Phishing Attacks on Internet Banks
While phishing as a term itself dates from the 1990s (Ramzan 2007) with attacks designed to
compromise America On Line (AOL) accounts, Internet bank phishing did not start until 2003. Even
though there were some isolated attacks on payment services Paypal and eGold in 2002, the first
attack against a fully-fledged Internet Bank occurred in March 2003 (McCombie 2008). That bank
was Australia’s formerly government owned, Commonwealth Bank of Australia. At the time it was
Australia’s leading bank and its largest Internet Bank as measured by the number of customers who
had Internet accounts.
On Monday, 17 March, 2003, an email was sent out purporting to be from “admins at
Commonwealth Bank”. The attack, when examined in retrospect, has a number of features
associated with later attacks by EECGs : poor grammar, Windows character set 1251 (Cyrillic) and
+0300 time zone (Eastern European Summer Time and Eastern Russia Standard Time). These
particular features are dealt with in detail in Chapter 5. However, a unique feature of this and five
other early attacks between March and early July 2003 was that they were all hosted at one
particular provider in Florida. In contrast later attacks were widely distributed on compromised
hosts across the world (McCombie 2008; McCombie 2009). The Florida provider was E-Biz Web
Hosting Solutions LLC and had at the time as its Chief Technology Officer, Alex Mosh, alias Alex
Mozhey. Mosh is a well known spammer and is listed in the Spamhaus Register of Known Spam
Organisations (ROKSO). In 2007 he was listed as number one in the top spamming organisations
worldwide (The Spamhaus Project 2007). As of 1 February 2011 he is listed as number three (The
Spamhaus Project 2011). According to a number of his online profiles, he is a Russian speaking
Ukrainian living in Odessa (McCombie 2009). Within the Phishing site for Westpac on 4 July 2003,
the metadata of the page showed its directory path. This indicated that the username for the
system, presumably on which the site was coded, was Alex Gnom. An Alex Gnom is listed on the
Internet as a free lance programmer and web developer based in Lvov in the Ukraine on
http://www.hightechhire.com.
45
Figure 3.2: Relationship Diagram for Phishing Incidents December 2002 to July 2003 (McCombie 2008)
It would appear these first phishing sites were set up on dedicated infrastructure rather than on
compromised systems as would later be the case. This may have been because the design and
operation of these sites was, at this point, experimental. They therefore needed to be more closely
monitored and controlled than a compromised host would allow. To achieve their aim the phishers
need to create a replica of the real Bank website and have the capacity to capture user credentials.
They then either store them locally for later retrieval or email them to a drop email account for use
(often an anonymous account with Hotmail or Yahoo). While this would have been a relatively trivial
programming exercise, it would still require some testing to work efficiently in disparate
environments. In time, compromised hosts were used, presumably once the phishers became
comfortable with the phishing site build and it could be easily set up in various environments
without full access. These early attacks are of considerable interest for a number of reasons. They
were created from scratch and did not utilise already created content. The phishers did not go to
great lengths to hide their identities nor their methodology (as can be seen above) as would be the
case later. There were only a handful of incidents over a number of months and thus they are easier
to study in some detail. Amongst other things, significantly it reveals that, with the entire Internet
connected world to choose from, Eastern European cybercriminals chose Australia as their first
target.
3.3
Alex Mozhey Update
Since the publication in December 2009 of “Trouble in Florida” (Section 3.8), which identified the
connection between Alex Mozhey, Alex Mosh, Pilot Holding LLC and E-Biz Hosting Solutions LLC, the
Linked-in page of Alex Mozhey has been updated by the removal of details of his working at those
two businesses. That paper is easily found on the Internet under a simple Google search for ”Alex
Mozhey”. It is not known why the Linked-in entry was amended but the possibility that Mozhey
became aware of the paper and made these changes is likely (See figure 3.3 below).
46
Figure 3.3: LinkedIn Profile of Alex Mozhey 2008 and 2011. Note absence of Pilot Holding LLC and EBiz Hosting Solutions
LLC.
3.4
Advantageous Environment for Cybercrime
An examination of the factors that make Eastern Europe an advantageous environment for
cybercrime requires an assessment of what unique features exist within this environment. Using
available data on Internet usage and penetration, education levels, corruption perception index and
scholarship on the organised crime tradition in those countries, a rather unique environment
favouring the development of cybercrime was identified in the countries that comprised the former
Soviet Union and in particular Russia and the Ukraine. This is also dealt with in Section 3.8 in the
paper “Cybercrime Attribution: An Eastern European Case Study” but additional and more recent
material is included here.
3.4.1
Education Levels
To plan and commit Phishing and related cybercrime, a level of technical knowledge is required. As
such, a relevant factor in a country’s profile for phishing and related cybercrime is the level of
technical education. The United Nations Educational, Scientific and Cultural Organisation (UNESCO)
and the World Bank publish details of tertiary education levels for most of the world’s nations. The
figures include the Gross Enrolment Ratio (GER) for tertiary education. Tertiary GER is the number
of pupils enrolled in tertiary education, regardless of age, expressed as a percentage of the
population of the five-year age group following on from the secondary school leaving age (UNESCO
2007); see Table 3.1 below.
47
Table 3.1: Gross Enrolment Ratio (GER %) for tertiary education. Countries of the former Soviet Union in yellow (UNESCO
2007)
Country
GER %
Country
GER %
Country
GER %
Korea, Rep.
96
Lebanon
49
Bermuda
22
Finland
94
Serbia
48
Cayman Islands
20
Greece
91
Mongolia
48
Tajikistan
20
Slovenia
85
Switzerland
47
Indonesia
18
United States
82
Croatia
47
Guatemala
18
Denmark
80
West Bank and Gaza
46
Brunei
15
New Zealand
79
Thailand
46
Azerbaijan
15
Ukraine
76
Panama
45
India
13
Norway
76
Kyrgyz Republic
43
Guyana
12
Lithuania
76
Hong Kong
42
Lao PDR
12
Russia
75
Moldova
41
South Asia
11
Australia
75
Bolivia
38
Morocco
11
Sweden
75
Jordan
38
Qatar
11
Iceland
72
Turkey
37
Myanmar
11
Latvia
71
Georgia
37
Yemen, Rep.
10
Spain
68
Cyprus
36
Uzbekistan
10
Belarus
68
Macedonia, FYR
36
Cape Verde
10
Argentina
68
Ecuador
35
Cote d'Ivoire
8
Hungary
67
Armenia
34
St. Lucia
8
Italy
67
Bosnia Herzegovina
34
Guinea
8
Poland
67
Aruba
33
Cameroon
7
Estonia
65
Malta
33
Bangladesh
7
Uruguay
64
Colombia
33
Senegal
6
Belgium
62
Malaysia
32
Ghana
6
Ireland
61
Tunisia
32
Bhutan
5
Israel
60
Saudi Arabia
31
Mali
5
Netherlands
60
Liechtenstein
31
Cambodia
5
United Kingdom
59
Brazil
30
Togo
5
Romania
58
Iran, Islamic Rep.
30
Pakistan
5
Japan
58
Egypt, Arab Rep.
29
Congo
4
Portugal
57
Paraguay
29
Mauritania
4
Macao
55
American Samoa
28
Ethiopia
4
France
55
Mexico
26
Madagascar
4
Czech Republic
54
World
26
Djibouti
3
Chile
52
Algeria
24
Burkina Faso
3
Kazakhstan
51
El Salvador
24
Burundi
2
Austria
50
Mauritius
23
Tanzania
1
Slovak Republic
50
Oman
23
Niger
1
Bulgaria
49
China
22
Malawi
0
48
UNESCO also produces data on tertiary graduates by discipline. The two discipline areas of interest
are on the one hand science and on the other engineering, manufacturing and construction.
Computer science and information technology cut across both these areas depending on the degree
but the information is still a good indicator of the level of relevant technical education.
Unfortunately, data is not supplied for China or India but all other major nations are represented in
the data. All countries with greater than 10,000 graduates in those two areas are listed below in
Table 3.2 and 3.3.
Table 3.2: 2007 Graduates in Science by Country >10,000. Countries of the former Soviet Union in yellow (UNESCO 2007)
Country
Graduates in
Science
United States of America
234312
Russian Federation
115320
United Kingdom
85692
Brazil
57705
Republic of Korea
44984
Mexico
43517
Poland
42931
Myanmar
39681
Turkey
33322
Iran (Islamic Republic of)
33306
Japan
31711
Malaysia
31195
Italy
26638
Spain
26223
Saudi Arabia
21069
Ukraine
19970
Argentina
16892
Algeria
14499
Morocco
13422
Romania
10665
Portugal
10350
49
Table 3.3: 2007 Graduates in engineering, manufacturing and construction by Country >10,000. Countries of the former
Soviet Union in yellow (UNESCO 2007)
Country
3.4.2
Graduates in
engineering,
manufacturing
and
construction
Russian Federation
428803
Japan
189417
United States of America
189247
Republic of Korea
159559
Ukraine
113475
Iran (Islamic Republic of)
106205
Mexico
67587
Turkey
56454
Italy
55538
United Kingdom
54883
Malaysia
51092
Viet Nam
49529
Spain
46906
Poland
46328
Brazil
46042
Romania
29728
Belarus
25758
Colombia
25193
Portugal
16290
Algeria
15190
Chile
15099
Argentina
12866
Czech Republic
12445
Sweden
10345
Corruption Levels
Similarly relevant to the commission of these crimes is the level of corruption in the particular
society. Corruption in the society means crime may be more acceptable and efforts to combat those
crimes less effective. In a more corrupt society the likelihood of arrest is lower, as long as protection
money is payed either via a gang (known as a “roof” in Eastern Europe) or direct to law enforcement.
Transparency International produce an index of countries based on a series of surveys called the
Corruption Perception Index (CPI). The CPI ranks almost 200 countries by their perceived levels of
corruption, as determined by expert assessments and opinion surveys. It is a survey of surveys. A
low score represents a higher perception of corruption.
50
Table 3.4: Corruption Perception Index (CPI) for countries 2.4 or lower. Countries for the former Soviet Union in yellow
(Transparency International 2010)
Rank
out of
178
Country
CPI
Rank
out of
178
Country
CPI
134
Bangladesh
2.4
154
Congo-Brazzaville
2.1
134
Honduras
2.4
154
Guinea-Bissau
2.1
134
Nigeria
2.4
154
Kenya
2.1
134
Philippines
2.4
154
Laos
2.1
134
Sierra Leone
2.4
154
Papua New Guinea
2.1
134
Togo
2.4
154
Russia
2.1
134
Ukraine
2.4
154
Tajikistan
2.1
134
Zimbabwe
2.4
164
Democratic Republic of Congo
2.0
143
Maldives
2.3
164
Guinea
2.0
143
Mauritania
2.3
164
Kyrgyzstan
2.0
143
Pakistan
2.3
164
Venezuela
2.0
146
Cameroon
2.2
168
Angola
1.9
146
Côte dÍvoire
2.2
168
Equatorial Guinea
1.9
146
Haiti
2.2
170
Burundi
1.8
146
Iran
2.2
171
Chad
1.7
146
Libya
2.2
172
Sudan
1.6
146
Nepal
2.2
172
Turkmenistan
1.6
146
Paraguay
2.2
172
Uzbekistan
1.6
146
Yemen
2.2
175
Iraq
1.5
154
Cambodia
2.1
176
Afghanistan
1.4
154
Central African Republic
2.1
176
Myanmar
1.4
154
Comoros
2.1
178
Somalia
1.1
Transparency International in their 2010 survey examined the percentage of users of services
reporting they paid a bribe to receive attention from at least one of nine different service providers
in the previous 12 months. Services included: education, judiciary, medical services, police, registry
& permit services, utilities, tax revenue and customs. A list of response percentages is below in
Table 3.5. They also asked, in the past three years, how has the level of corruption in this country
changed. List of response percentages for selected countries for the former Soviet Union is below in
Table 3.7.
51
Table 3.5: Percentage of users of services reporting they paid a bribe to receive attention from at last one of nine different
service providers in the past 12 months, 7% or greater (Transparency International 2010A). Countries for the former Soviet
Union in yellow.
Country
Percentage
Country
Percentage
Country
Percentage
Liberia
89%
Lithuania
34%
Indonesia
18%
Uganda
86%
Lebanon
34%
Greece
18%
Cambodia
84%
Turkey
33%
Serbia
17%
Sierra Leone
71%
El Salvador
31%
Philippines
16%
Nigeria
63%
Mexico
31%
Luxembourg
16%
Afghanistan
61%
Bolivia
30%
Kosovo
16%
Senegal
56%
Romania
28%
Vanuatu
16%
Iraq
56%
Belarus
27%
Latvia
15%
India
54%
Papua New Guinea
26%
Poland
15%
Cameroon
54%
Russia
26%
Czech Republic
14%
Palestine
51%
Hungary
24%
Italy
13%
Pakistan
49%
Colombia
24%
Argentina
12%
Mongolia
48%
Thailand
23%
Fiji
12%
Azerbaijan
47%
Bosnia & Herzegovina
23%
China
9%
Kenya
45%
Armenia
22%
Malaysia
9%
Vietnam
44%
Peru
22%
Austria
9%
Zambia
42%
FYR Macedonia
21%
Japan
9%
Ghana
37%
Chile
21%
Singapore
9%
Moldova
37%
Venezuela
20%
Bulgaria
8%
Ukraine
34%
Solomon Islands
20%
Taiwan
7%
3.4.3
Organised Crime Tradition
Eastern Europe and in particular Russia have an organised crime tradition dating back to the days of
the Tsar. While the popular image of Russian “Mafiya” is a somewhat fanciful Hollywood view of
machine gun-toting goons, the reality is highly organised and sophisticated crime operations mixed
with legitimate business enterprises which are particularly adept at money laundering. See Section
3.8, Cybercrime Attribution: An Eastern European Case Study, for more detail.
3.4.4
Corruption of State Security: Federal Agency for Government Communications &
Information
As noted in the introduction, the 2003 disbanding of the Russian Federal Agency for Government
Communications & Information (FAPSI) led to a number of highly trained information warriors going
to work for Russian organised crime (Galeotti 2007). The functions of FAPSI had been originally
under the KGB prior to the devolution of the Soviet Union and many of their staff were originally
with the KGB. While not a lot is known about the operations of FAPSI, in 1997 Vladimir
Markomenko, the then deputy director of FAPSI, stated that the "information war" concept
comprised four components:
1. The suppression of components of the infrastructure of state and military administration
(destruction of command and control centres); electromagnetic pressure on components of the
information and telecommunications system (electronic warfare)
52
2. Acquisition of intelligence through intercepting and deciphering information flows
transmitted via communications channels, also though spurious radiation, and through
electronic information intercepting devices especially planted in premises and in technical
systems (electronic intelligence)
3. Unauthorised access to information resources (by the use of software and hardware for
penetrating systems for the protection of enemy information and telecommunications systems)
with subsequent distortion, destruction, or theft, or a disruption of the normal operations of
these systems (hacker warfare)
4. Formation and mass dissemination by enemy information channels or global data
interaction networks of disinformation or tendentious information for influencing the
opinions, intentions, and orientation of society and decision makers (psychological warfare).
(Argentura 2011)
Component 3 (hacker warfare) could well include Phishing. Even in theearly 1990s when the
commercial Internet was relatively limited Waller (1994) made the startling observation of FAPSI and
organised crime that:
FAPSI poses a new threat to legitimate businesses in Russia and the West, and is a
potential window for the secret police and organized crime to enter the information
highway on an unprecedented scale. (Waller 2004)
In 1998 testimony to the United States Congress Joint Economic Committee by Victor Sheymov, a
former KGB Major and head of the Cipher division, he observed a change in priorities for FAPSI with
the end of the Cold War:
...the end of the Cold War somewhat shifted goals, objectives, and some targets of the FAPSI
toward a heavier emphasis on intercept of technological, commercial and financial
information. (Joint Economic Committee United States Congress 1998)
This interception of financial information could well have included early Internet banking data, and
plans to defraud Western Banks developed as either State sanctioned information warfare or in a
criminal conspiracy with Russian organised crime. In 1996 FAPSI with its commercial arm created an
Internet service provider called “Business Network of Russia” (Argentura 2007). While it is not
known if it is linked to the notorious Russian Business Network (Zenz 2007) (See section 3.8), the
similarity in the name is worth further investigation.
3.4.5
Internet Penetration
The availability and cost of Internet access is also a key factor in the ability to commit phishing and
related cybercrime. Thus the penetration of Internet and the total population with access to the
Internet is relevant. The International Telecommunications Union (ITU) is the lead United Nations
agency for information and communication technology issues. They produce global statistics for
Internet usage. This includes total and per capita Internet users and per capita Internet subscribers.
53
Table 3.6: Countries of the former Soviet Union estimated Internet users per 100 inhabitants 2000-2009 (ITU 2010)
Country
Armenia
Azerbaijan
Belarus
Estonia
Georgia
Kazakhstan
Kyrgyzstan
Latvia
Lithuania
Russia
Tajikistan
Turkmenistan
Ukraine
Uzbekistan
Estimated Internet users per 100 inhabitants
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
1.30
0.15
1.86
28.58
0.48
0.67
1.04
6.32
6.43
1.98
0.05
0.13
0.72
0.48
1.63
0.31
4.30
31.53
0.99
1.01
3.00
7.22
7.18
2.94
0.05
0.18
1.24
0.60
1.96
5.00
8.95
41.52
1.59
1.67
3.00
21.94
17.69
4.13
0.06
0.30
1.87
1.08
4.58
16.22
45.32
2.56
2.00
3.91
26.98
25.91
8.30
0.06
0.43
3.15
1.91
4.90
24.95
53.20
3.89
2.65
5.09
38.58
31.23
12.86
0.08
0.75
3.49
2.59
5.25
8.03
26.49
61.45
6.08
2.96
10.53
46.00
36.22
15.23
0.30
1.00
3.75
3.34
5.63
11.99
63.51
7.53
3.27
12.31
53.63
43.90
18.02
3.77
1.32
4.51
6.39
6.02
14.54
66.19
8.26
4.02
14.03
59.17
49.90
24.66
7.20
1.41
6.55
7.49
6.21
17.08
70.58
23.78
11.00
15.70
63.41
55.22
26.83
8.78
1.49
10.55
9.08
6.75
27.40
27.43
72.50
30.51
18.20
40.03
66.84
59.76
29.00
10.07
1.57
17.00
17.06
Figure 3.4: Internet Users per 100 inhabitants 2010 (ITU 2010)
54
ITU also calculated relative costs for information and communication technology (ICT) access known
as the ICT Price Basket. It found that relative costs for ICT were similar for Russia and other
countries of the former Soviet Union (CIS) to that in the America despite the significantly higher
Gross National Income (GNI) per capita (See figure 3.5 below).
Figure 3.5: ICT Price Basket across Regions (ITU 2008)
3.5
Russia in Profile
Russia has a population of 139,390,205 and its per capita GDP is USD$15,900 (CIA Factbook, July
2010). It has a very low CPI of 2.1, ranking it in the bottom 15% of countries, at 154 of 178; the same
score as Laos and the Central African Republic. In 2010, 26% of users reported they paid a bribe to
receive attention from providers in at least one of nine service categories (education, judiciary,
medical services, police, registry & permit services, utilities, tax revenue and customs) in the
previous 12 months. In the same survey 39% said the level of corruption was the same as it was 3
years prior, 53% said it had increased and only 8% said it had decreased. Assessing Russia’s
government efforts to fight corruption, 52% of respondents said those efforts were ineffective.
Table 3.7: Responses to question, in the past 3 years, how has the level of corruption in this country changed Countries for
the for selected countries of the former Soviet Union (Transparency International 2010A)
Country
Decreased
Same
Increased
Azerbaijan
28%
20%
52%
Belarus
24%
49%
27%
Georgia
78%
13%
9%
Moldova
12%
35%
53%
Russia
8%
39%
53%
Ukraine
7%
63%
30%
Russia’s tertiary GER is very high at 75% and within the top 10% of countries, the same as Australia
and Sweden. It ranks second in the world in number of graduates in science (115,320) and first in the
number of graduates in engineering, manufacturing and construction (428,803).
55
In 2008 Russia had more than 30 million Internet subscribers with a penetration of over 26 users per
100 of population (ITU 2010).
Table 3.8: Response to question how would you assess your current government's efforts to fight corruption Countries for
selected countries of the former Soviet Union (Transparency International 2010A)
Country
3.6
Ineffective
Neither
Effective
Armenia
53%
20%
27%
Azerbaijan
26%
9%
66%
Belarus
26%
35%
39%
Georgia
12%
11%
77%
Moldova
52%
30%
18%
Russia
52%
22%
26%
Ukraine
59%
24%
16%
Ukraine in Profile
Ukraine has a population of 45,134,707 and its GDP is USD$6,700 (CIA Factbook, July 2010). It has a
low CPI of 2.4, but higher than Russia, putting it at 134 of 178 countries; the same as Zimbabwe. In
Ukraine 34% of users of services report they paid a bribe to receive attention from one of nine
(education, judiciary, medical services, police, registry & permit services, utilities, tax revenue and
customs) service providers in the previous 12 months. In 2010, 63% said corruption was the same as
it was three years previous and 30% said it had increased. Only 7% said it had decreased. Assessing
the Ukrainian government's efforts to fight corruption, 59% of respondents said those efforts were
ineffective, seven points higher than Russia.
Ukraine’s tertiary GER is very high at 76%, eighth highest in world. While it only ranks 16th in the
world in number of graduates in science (19970), it is fifth in the number of graduates in
engineering, manufacturing and construction (113475). By 2008 Ukraine had over 6 million Internet
users and Internet penetration of over 10 users in 100 (ITU 2010).
3.7
Conclusion
As can be seen Russia and the Ukraine are uniquely suitable for the growth of cybercrime. They have
a tradition of organised crime, high levels of corruption, high levels of technical education and
relatively good access to the Internet. The first phishing attacks on Internet Banks from March to
July 2003 can be attributed to Ukrainian spammers with Eastern European groups responsible for a
significant portion of subsequent attacks. Chapter Five examines other supporting data for this
attribution, namely the features within phishing artefacts, in particular phishing emails. The next
chapter examines the online market for compromised credentials, compromised systems, exploit
code, crimeware and other resources to support phishing and credit card fraud.
3.8
References
McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th
McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case Study. 7th
56
Edith Cowan University
Research Online
Australian Digital Forensics Conference
Security Research Centre Conferences
3-12-2008
Trouble in Florida: The Genesis of Phishing
attacks on Australian Banks
Stephen McCombie
Macquarie University
Originally published in the Proceedings of the 6th Australian Digital Forensics Conference, Edith
Cowan University, Perth Western Australia, December 3rd 2008.
Recommended Citation
McCombie, Stephen, "Trouble in Florida: The Genesis of Phishing attacks on Australian Banks" (2008). Australian Digital Forensics
Conference. Paper 48.
http://ro.ecu.edu.au/adf/48
This Article is brought to you by the Security Research Centre Conferences at Research Online. It has been accepted for inclusion in Australian Digital
Forensics Conference by an authorized administrator of Research Online. For more information, please contact [email protected].
57
Trouble in Florida: The Genesis of Phishing attacks on Australian Banks
Stephen McCombie
Cybercrime Research Lab, Macquarie University
[email protected]
Abstract
Today Phishing of Internet banks is a well know problem and globally is responsible for more than US$3 billion
in fraud annually. To date there has been limited research into the individuals and groups responsible for these
attacks. Considerable anecdotal evidence exists to suggest that transnational organised crime groups are
involved in Phishing. The involvement of these groups, particularly those operating out of Eastern Europe, is of
concern given their sophistication and resources. Earlier work by CRL@mq looked at a month of Phishing
against one Australian financial institution and clustering indicative of a small number of groups being
responsible was seen. To get a better picture of the nature of the groups behind Phishing we now look back to
the genesis of attacks against Internet banks. The first attacks against Australian banks started in March 2003
and were in fact the first attacks of this kind against Internet banks globally. We examine these incidents as a
case study and look at the individuals and organisations involved. The circumstances behind these attacks are
clearer now than might be imagined given none of the perpetrators were indentified at the time. We then briefly
examine how much Phishing has changed in the intervening 5 years.
KEYWORDS
Computer crime case studies, cybercrime, Phishing, money laundering, e-crime, e-fraud, Internet banking fraud.
INTRODUCTION
Phishing is a well-known problem, accounting for as much as 1 out of every 281 Internet email messages in
September this year (Messagelabs 2008). Gartner estimated that annual losses from Phishing attacks in the US
alone went from USD$928 Million in 2005 (Litan 2005) to USD$3.2 Billion in 2007 (Gartner 2007). APACS,
the UK payments association, reported UK online banking fraud was GBP£21.4 million in the first six months
of 2008 (APACS 2008). Phishing attacks today are so frequent and numerous it is difficult to understand their
true scope or to understand the actors behind them except in isolation. Earlier work at the Cybercrime Research
Lab @ Macquarie University (CRL@mq) looked at Phishing against one Australian financial institution in July
2006 and examined the archival data available in that case (McCombie 2008). In that case study some clear
indicators of a discrete number of attackers being involved in multiple was observed. That archival study
examined data that covered just one organisation in one country over one month and as such a tiny portion of
the total. Given that, this work is aimed at looking at an earlier time when Phishing was not an everyday
occurrence against financial institutions, was little known and therefore relatively discrete. This time is very
late 2002 to the middle of 2003. Examining archival material and other work from this period we get a picture
of the circumstances behind this early Phishing and some insight into how and why it began the way it did.
Surprisingly the participants behind the scenes may be easier to identify than we would
expect given no one has been arrested for these early attacks. However at that time the nature of the problem
was little known and certainly not well understood. What now seem rather suspicious associations may have
been completely missed by responders and law enforcement at the time.
The rise of Phishing has seen the “Black Hat” hacker community in recent years transformed from a culture
based largely on youthful exploration to one focused on criminal profit. With that shift markets for “Phishing”
tools, for “Botnets”, for zero day vulnerabilities and compromised credentials have been established to support
this highly organised criminal trade. Spammers, malware writers, hackers and organised crime have come
together as never before. Extensive efforts to facilitate the laundering of the illicit earnings of these crimes have
also been observed with third parties known as “mules” utilised along with the services of various companies,
such as Western Union, which perform international wire transfers. These mules, often unwittingly, act as
agents to forward and launder proceeds of Internet banking fraud using their own accounts. The money is then
drawn out in cash by the mule and then wired overseas.
58
Considerable anecdotal evidence exists to suggest that transnational organised crime groups are involved in this
“Phishing”. Their alleged involvement in these attacks has received extensive coverage in the press with
headlines like “Dutch Botnet Trio Reportedly Connected To Russian Mob” (Keizer 2005), “Return of the Web
Mob” (Naraine 2006). The US President’s Identity Theft Task Force, set up to combat Phishing and other
identity, theft reported in 2007,
“Law enforcement agencies also have seen increased involvement of foreign organized criminal groups in
computer - or Internet-related identity theft schemes (The President’s Identity Theft Task Force 2007).”
Groups from Russian Federation, the Ukraine and Romania were identified by the US Secret Service as being
responsible for a number of the attacks (The President’s Identity Theft Task Force 2007). The involvement of
transnational crime groups, particularly those operating out of Eastern Europe, is of concern given their
sophistication and resources. For example, Galeotti (2006) suggests that former members of the Russian
Federal Agency of Governmental Communication and Information (FAPSI) - whose role was similar to that of
the US National Security Agency - were recruited by organised crime groups as computer hackers when FAPSI
was disbanded in 2003. Notably, this was around the same time Phishing became a significant problem and this
case study relates. Galeotti also suggests other former USSR states such as Latvia are being used by Russian
gangs to commit phishing attacks (2005). In February 2007, Microsoft's Chief Security Advisor in the UK,
Edward Gibson (a former FBI Agent), was quoted by Viruslist.com saying, “it’s not the hacker crackers you
have to worry about, but the Ukrainian mafia” (Kornakov 2007).
Some of the organised crime groups are believed to use legitimate enterprises they are involved in to support
illegal activities. The large Russian organised crime group Tambov was believed to have used its petrol
distribution company PTK’s IT division to commit phishing attacks (Galeotti 2008). Some Russian IT
organisations are also suspected of being purely being vehicles for Internet crime such as the now infamous
Russian Business Network (Zenz 2007).
Russian organised crime first entered the United States in numbers in the 1980s and set up significant bases in
Brighton Beach New York and in Miami Florida (Friedman 2000). This case study concerns three businesses
based in Florida.
To date there has been limited research into the individuals and groups behind “Phishing”. To effectively
combat this problem we need to better understand the disposition and motives of these criminals. This paper
aims to be a further step in delivering this important analysis to help government and industry address this
problem.
PHISHING HISTORY
The term Phishing originated in 1996 to refer to a practice of tricking users into giving up their America OnLine (AOL) accounts to be used to distribute warez (pirated software) and other misuse. Originally the attacker
would use instant messaging and purport to be an administrator from AOL. They would then ask users to
provide their credentials. Later emails were used in a similar fashion. AOL actively policed the problem and
by 2000 it all but disappeared (Ramzan 2007).
A NEW TYPE OF PHISHING
Starting in late 2002 a new style of Phishing attack began. The AOL phishers in the process of taking over AOL
accounts had also got access to bank credit card details and they sometimes used them to use them to pay for
services on the net (Ramzan 2007). Now taking the concept one step further, the target would be the banks
themselves.
In 2000 despite the significant growth of Internet banking in a number of countries Internet banking fraud was
virtually non-existent. Its notable that originally Commonwealth Bank of Australia’s NetBank used a fat client
and National Australia Bank’s Internet Banking used client side certificates. These measures had been dropped
by both these organisations by 2003.
While a number of observers have spoken of this change to Phishing most seem to indicate it started in the
second half of 2003 or later (Grigg 2005)(Youl 2004)(James 2005)(Harley 2007) this research shows it was
clearly happening in the first six months of 2003. The below timeline by Grigg shows Phishing switching to
online banks in the end of 2003. It should be noted Grigg makes mention of two earlier attacks in his paper
against e-Gold but this author was unable to find any references that support this or any other material to help
understand the style of those early attacks (Grigg 2005).
59
Figure 1 The Battle of Online Banking (Grigg 2005)
THE VICTIMS
E - GOLD
The first victim of new style of Phishing was Florida based E-Gold not an Internet Bank per se. E-Gold, who in
recent years has seen its’ directors charged with money laundering (Broache 2007), is an Internet global
payment provider who backs each transaction in gold. Customers hold their balances in gold rather than
currency. E-Gold is believed to have had organised crime figures as customers prior to the attack and this may
be part of the reason they became the first victim of this style of phishing attack. Jeffrey Taylor, U.S. Attorney
for the District of Columbia, would later characterise them as having,
"Criminals of every stripe gravitated to E-Gold as a place to move their money with impunity (Department of
Justice 2007)"
On Saturday 28 December 2002 during the quiet Christmas New Year period an email purporting to be from EGold support was spammed out to a large number of Internet users. It’s said,
“Dear Valued Customer
- Our new security system will help you to avoid frequently fraud
transactions and to keep your capitals in safety.
- Due to technical update we recommend you to reactivate your account.
Click on the link below to login and begin using
your updated e-gold account.
(Riley 2003)”
An email message like this is now a red flag to indicate a Phishing email, however despite the poor grammar, at
the time it was a clever hook to get E-Gold credentials from customers. The web server hosting the Phishing
page belonged to the IP range of 3d Wizards Hosting in Winter Park Florida on the address
https://64.46.113.69/login.htm. The https certificate for that page belonged to cyberinvestigation.net, allegedly
issued by ebizhostingsolutions.com (Riley 2003). E-Biz Hosting Solutions used some of the IP space of 3d
Wizards and were also located in Winter Park Florida. One of the email samples seen by the author seems to
have originated from a system at lsanca1-ar13-4-60-133-139.lsanca1.dsl-verizon.net [4.60.133.139] (Riley
2003). This appears to be a compromised system in the USA belonging to Verizon’s DSL network.
COMMONWEALTH BANK OF AUSTRALIA
The next victim was as different an organisation from E-Gold as one could find. Commonwealth Bank of
Australia (CBA) formerly a wholly government owned bank in Australia. It is the largest Australian bank with a
$58.2 billion market capitalisation as of October 2008 (Zappone 2008). The one thing it did share in common
with E-Gold is its early presence on the Internet and its more advanced functionality for users to transfer their
money. On Monday 17 March 2003 an email was sent out purporting to be from “admins at Commonwealth
Bank”. It used much of the same text as the attack on E-Gold and was again hosted on an IP belonging to 3d
60
Wizards in Winter Park Florida on the address http://64.46.113.74/netbank/bankmain.htm. The Head of
Security of the CBA was the former head of the Electronic Services Section of the Australian Federal Police
(AFP) and he took no time in getting the AFP involved in investigating the matter. AFP agents from the Sydney
office were assigned and in conjunction with NSW Police started an investigation. The law enforcement
response was to follow the money. When compromised credentials were used and money transferred to a
Croatian man recruited on a Croatian community website in Tasmania to be what would be later referred to as a
“money mule”. He was arrested by Police picking up the proceeds of one compromised account at a branch but
as with money mules today was not able to identify the ultimate beneficiary of the fraud (Colley 2003). At the
same time an apparent good citizen, Kevin Searle, who posted using the name Wombat to the news.admin.netabuse.email newsgroup detailing the attack. He had contacted CBA indicating that this site was hosted on
Florida and he also alerted Sydney Police and the Florida Computer Crimes Unit. Searle later told his story to
Sam Varghese from the Sydney Morning Herald (Varghese 2003).
Figure 2 CBA email 17 May 2003 (Searle 2003)
61
ANZ
The Commonwealth Bank incident was publicised in the Australian and International media. Other Australian
banks started to look at their vulnerability to similar attacks. They did not have to wait long. On 10 April 2003
another Phishing email was sent, this time targeting ANZ bank and coming from from “newzs at anzbank.com”.
ANZ Bank (Australia and New Zealand Bank) is Australia’s third largest bank. The samples seen by the author
originated from 0x50a104ef.virnxx9.adsl-dhcp.tele.dk [80.161.4.239] and d141-107-221.home.cgocable.net
(d141-107-221.home.cgocable.net [24.141.107.221], which appear to be compromised systems in Denmark and
the USA. The site was again hosted by 3d Wizards in Florida at the address http://64.46.114.91/ and used
similar text the attacks of CBA and E-Gold. On its ftp port the server at that IP responded as
server2013.ebizhostingsolutions.com. Another good citizen informed ANZ and passed on details of the hosting
company and Adam Kling from E-Biz Hosting Solutions as a contact. ANZ contacted Adam Kling and asked
for the site to be removed, which happened a few days after.
Figure 3 ANZ Phishing Email 10 April 2003 (Scheid 2003)
BANK OF AMERICA
While other Australian Banks became increasingly concerned about a potential attack the next Phishing incident
moved offshore. On 12 May 2003 a Phishing email was sent out targeting Bank of America. It again used
similar text to the attacks on E-Gold, CBA and ANZ. The site this time was hosted by Verio a large hosting
provider registered in Colorado and Florida at the address http://198.173.235.126/index.htm.
62
Figure 4 Bank of America Phishing Email 12 May 2003 (Jennings 2003)
WESTPAC
Australia’s fourth-largest bank at this time was Westpac but was the second most popular on-line bank which
had watched the recent events against its competitors Commonwealth Bank and ANZ closely. On 4 July 2003,
US Independence Day they become subject of a Phishing attack. Again the same text was used as the previous
banks and a site on IP space managed by 3d Wizards was involved using a domain belonging to E-Biz Hosting
Solutions at the address http://d308902.website29.ebizdns.com/login.htm. A Westpac graphic was used in the
html version of the email. Westpac reported the matter to the Australian Federal Police who were already
engaged in the earlier ANZ and Commonwealth Bank incidents. Contact was made with E-Biz Hosting
administrators via ICQ who turned out to be in Ukraine and the site was shut down after two days.
63
Figure 5 Westpac Phishing Email 4 July 2003 (Clapperton 2003)
Date
28-Dec-02
17-Mar-03
11-Apr-03
12-May-03
4-Jul-03
4-Jul-03
Victim
e-Gold
CBA
ANZ
Bank Of America
Westpac
ANZ
Subject
Security Server Update
Netbank Security Server Update
Phishing Site IP
64.46.113.69
64.46.113.74
64.46.114.91
198.173.235.126
64.46.100.64
64.46.113.208
Table 1 Selected List of Phishing Attacks 28/12/2002 to 4/7/2003
OTHER PHISHING ATTACKS IN THIS PERIOD
Two other Internet banks had Phishing attacks during this period. On 19 May 2003 after the Bank of America
incident there was an attack on Citibank using a site at http://209.97.63.225/cgi-bin/webforms.pl (Rohrich
2003). Also in May there was an attack on First Union Bank part of Wachovia Corporation another large US
Bank (Fisher 2003). There are limited details of these attacks available so it is unknown whether they are
related to the six phishing attacks described above.
64
THE HOSTING COMPANIES
3D WIZARDS
3d Wizards owned the IP space for five of the Phishing sites in this period and were part of DataColo, which
was managed by Carlos Rego. The company was also known as Relio Ltd. It was based in Winter Park Florida.
DATACOLO
DataColo owned the larger block in which 3d Wizards block resided and similarly was managed by Carlos
Rego. It was also based in Winter Park Florida.
E-BIZ HOSTING SOLUTIONS
E-Biz Hosting Solutions is also based in Winter Park Florida. It uses 3D Wizards IP space and was the domain
owner of the domain used in the Westpac and both ANZ sites and appeared to have issued the https certificate
for the e-Gold web site. It may well have used the other IPs associated the attacks that were part of 3d Wizards
hosting space but this is unable to be confirmed. Adam Kling is listed in various documents as the President but
the Vice-President is listed as Maxim Unger from Odessa Ukraine. Alex Mosh also from Odessa Ukraine is
mentioned as CTO and employee in a number of newsgroup postings and is described in more detail below. A
number of other Ukrainians or expatriate Ukrainians also seem to be associated with E-Biz Hosting Solutions in
admin and sales roles according to Internet posts, including Tim Rogovets, Constantin Pogorelov and Kate
Foteva.
Figure 6 Florida Department of Commerce Filing for E-Biz Hosting Solutions
(http://www.sunbiz.org)
THE INDIVIDUALS
ADAM KLING
Adam Daniel Kling is listed as the President of E-Biz Hosting Solutions. On a number of the incidents 3d
Wizards administrators and other upstream providers gave his name and contact number to responders and he
was contacted to shut both the ANZ Phishing sites down. He appears to be a resident of Florida. How he came
65
to be working with Maxim Unger, Alex Mozhey (see below) and a number of others from the Ukraine is
unknown.
ALEX MOZHEY, ALEX BLOOD, ALEX MOSH, ALEX POLYAKOV
Listed in a number of Internet news postings as an employee and CTO of E-Biz Hosting Solutions is Alex
Mosh. Alex Mosh is listed on the spamhaus Register of Known Spam Organisations (ROKSO) top ten list as of
spammers, currently No.3 as of 6 October 2008 (http://www.spamhaus.org/statistics/spammers.lasso). In 2007
he was listed No.1. He has a number of aliases including Alex Blood and Alex Polyakov. The name Alex
Polyakov is a Russian spy character from John Le Carre’s novel Tinker, Tailor, Spy, which may explain its use.
Alex Mosh used an ICQ address when working for E-Biz Hosting Solutions, which now is used by an Alex
Mozhey who lists in his linked-in profile that he indeed worked for E-Biz Hosting Solutions as CTO. In his
profile Mozhey also lists being the CTO for Pilot Hosting, which is also associated with Alex Mosh and listed
frequently by ROKSO in connection with spamming. Mozhey and Mosh are likely to be the same person.
Figure 7 Alexander Mozhey’s Linked-in profile (http://www.linkedin.com)
Mosh’s ROKSO record also connects him with money laundering or money mules and now
acknowledged as a key part of Phishing. Mosh’s ROKSO record lists website Verimeraustralia.com used in 2005 for recruiting money mules in Australia and is connected with the
entities and pseudonyms used by Alex Mosh.
66
Figure 8 Alex Polyakov Internet Operation (http://spamtrackers.eu/wiki/index.php?title=Alex_Polyakov)
Mozhey in his linked-in profile amongst his skills are, “Good knowledge of Payment/Billing Systems, CC
(credit card) processing, Merchant Gateways”. He also indicates past experience in “Abuse management”.
Both he names Alex Mozhey and Alex Mosh are also connected with the nickname Deir that uses the same ICQ
address and in some places Mozhey’s actual name. Deir is a member a Parallels Forum. Below Deir signs
himself as Alex Mosh CTO Ebiz Hosting Solutions LLC in that forum.
Figure 9 Posting by Alex Mosh to Parallels Forum (http://forums.modernbill.com/member.php?u=757)
67
CARLOS REGO
Carlos Rego was the CEO of 3dWizards Hosting and DataColo and in 2003 lived in Florida. He has a blog and
uses the handle nullmind. Amongst his postings he refers to the day in September 2003 when the FBI came to
the DataColo office apparently in connection with the aforementioned Phishing incidents.
“Today the FBI came by the office to pickup some logs on a scammer that was hosting with us, after taking his
site down we kept all the info and logs on him .. I hope they catch the sucker. Basically the user had a fake egold site, he would send emails out to people saying they need to verify their e-gold accounts, people then
would go to HIS site and enter their details and pin numbers :p ouch ..
Null (http://nullmind.com/2003/09/)”
Rego only mentions E-Gold but it is believed this FBI visit was also a result of an international mutual
assistance application from the AFP on behalf of the Australian banks impacted by these early Phishing attacks.
According to Carlos’s linked-in profile and Internet news items since leaving DataColo he has worked for
Comodo, Positive Software and successful virtualisation software maker Parallels. All these organisations seem
to have strong links to Russia and/or Ukraine. For instance Parallels CEO Serguei Beloussov studied for his
Ph.D. in Computer Science at the Moscow Institute of Physics and Technology and the company has
development centres in Russia and Ukraine. There is nothing suspicious in this but clearly Rego has a large
degree of contact with Ukrainians and Russians in his business life.
Again it is not known how Rego who was born in Portugal and now lives in the United Kingdom came to be
working with these individuals from Eastern Europe.
Figure 10 Relationships with Internet Bank Phishing Attacks Late 2002 to July 2003
WHAT HAPPENED AFTER JULY 2003?
Detailed figures on Phishing attacks were only collected towards the end of 2003. Judging from press reports
and the documented histories of Phishing attacks; they did increase in numbers from August to the end of 2003
with more brands being targeted, including numerous UK and US Internet Banks. The earliest statistics from
APWG Anti Phishing Working Group (APWG) show 21 phishing incidents in the month of November 2003
68
(APWG 2004). The phishing sites at this time were primarily located at large web hosting providers whose
systems were apparently compromised and used to set up the sites. This method continued for some years even
being the main method observed during the examination of phishing attacks in July 2006 on one Australian
financial institution (McCombie 2008). The number of attacks increased into 2004 and has continued to
increase to date, see below for the most recent figures.
Figure 11 Unique Phishing Attack Trend Nov 2003 to Jan 2003 (APWG 2004)
HOW IS PHISHING DIFFERENT IN 2008?
Today many aspects of Phishing have changed. Phishing sites are now almost always found on Botnets. While
Botnets certainly existed in 2003 they were far less common. Their use provides greater redundancy and is also
more resilient to take down requests by the victim banks and their service providers. There is also a greater use
of password stealing malware (crimeware as it is now described) to compromise users of Internet banks, which
is again delivered using Botnets. Since 2004 the significance of crimeware has grown. For the month of March
2008 APWG reported 356 new unique password stealing malicious code applications (APWG 2008).
The ability of the Phishing sites to dupe unwitting users has reduced over time as user education and the shear
volume of Phishing emails made knowledge of Phishing mainstream. However the attacks continue as they rely
on only a small rate of success. In 2006 APACS the UK payments association working on behalf of the banking
industry commissioned research agency Canvasse Opinion from Experian to poll a representative sample of
1,835 adults aged 18 and over, who have access to the Internet across the United Kingdom. Their results were,
“If we extrapolate for the 15.7 million people (in the UK) who regularly use the Internet to access their current,
savings and credit card accounts as:
- 3.8% (an estimated half a million people) said they would still respond to an unsolicited email asking them to
follow a link and re-enter personal security details, supposedly from their bank, unwittingly giving fraudsters
access to their account (this is slightly down from 4% in 2004).”
Despite the fact that at the time of this survey Phishing had been widely known for 3 years a return of 3.8%
shows us why Phishing sites still appear, in fact, APWG reported over 25,000 unique Phishing attacks attacking
139 different brands in February 2008 alone (APWG 2008).
WHAT CAN WE LEARN FROM THIS CASE STUDY
While not conclusive this case study shows there is some evidence to support the thesis that East European
groups involved in spamming branched into Phishing and other online crime in 2003. Further research into the
involvement of East European IT companies in on-line crime is needed. The trend in traditional Eastern
European organised crime and indeed other transnational organised crime to move illegal profits into legitimate
enterprises may well have extended to the cybercrime area but further work is needed to confirm this.
Regardless there is clearly availability of IT skills within Eastern Europe to support both legal and illegal IT
69
businesses and the challenge for those countries and the broader European community is to ensure organised
cybercrime groups do not get a foot hold in legitimate industries.
Why did Australian Banks figure so significantly in these attacks? One likely reason is that Australian Internet
banks had much greater functionality for payments than those in the US and most of the rest of the world at that
time. Westpac for instance actually allowed Overseas Telegraphic Transfers (OTTs) to overseas banks direct
from their Internet Banking in 2003. This allowed phishers to move the money straight from compromised
accounts to banks in Eastern Europe. So Australian Internet banks were indeed world leading but in ways that
were not intended.
CONCLUSION
Further work is required to better understand these early attacks but we hope this will start further research in
this area. The author would have liked to interview more individuals involved but many were either
unreachable or unable to comment on the events so this case study has been developed looking mostly at news
reports and archival material available on the Internet from a number of sources and from the author’s personal
knowledge of events. While this approach has its shortcomings it was felt this case study was worth relating
even on this limited information. We hope in future research to conduct further interviews with those involved
and obtain more archival data on the organisations involved for more in depth analysis of these events.
REFERENCES
APACS (2008) APACS announces latest fraud figures. Retrieved 20 March 2007 from
http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm
APWG (2004) Phishing Attack Trends Report January, 2004. Retrieved 9 October 2008 from
http://www.antiphishing.org/reports/APWG.Phishing.Attack.Report.Jan2004.pdf
APWG (2008) Phishing Activity Trends Report Q1/2008. Retrieved 9 October 2008 from
http://www.antiphishing.org/reports/apwg_report_Q1_2008.pdf
Broache, A. (2007) E-Gold charged with money. Retrieved 9 October 2008 from
http://news.cnet.com/2100-1017_3-6180302.html
Clapperton, D. (2003) [Oz-ISP] Westpac online banking scam in progress. Retrieved 15
October 2008 from http://archive.humbug.org.au/aussieisp/1057285342.54415.28.camel%40inferno
Colley, A. (2003) NetBank suspect nabbed in Sydney. ZDnet Australia. Retrieved 9 October
2008 from http://m.zdnet.com.au/120273072.htm
Department of Justice (2007) Digital Currency Business E-Gold Indicted For Money
Laundering And Illegal Money Transmitting. DOJ press release. Retrieved 9 October
2008 from http://www.usdoj.gov/criminal/cybercrime/egoldIndict.htm
Fisher, D. (2003) First Union Hoax on the Loose. Retrieved 15 October 2008 from
http://www.eweek.com/c/a/Messaging-and-Collaboration/First-Union-Hoax-on-theLoose/
Friedman, R. (2000) Red Mafiya: How the Russian Mob has invaded America, New York.
Penguin Putnam
70
Gartner (2007) Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3
Billion Lost to These Attacks. Retrieved 9 October 2008 from
http://www.gartner.com/it/page.jsp?id=565125
Galeotti, M. (2005). Russian mafiya become more active in Eastern Europe. Jane's
Intelligence Review - June 01, 2005
Galeotti, M. (2006). The Criminalisation of Russian State Security. Global Crime Volume 7
(Number 3-4): August-November 2006.
Galeotti, M. (2008) Interview with the Author.
Grigg, I. (2005) GP4.3 - Growth and Fraud - Case #3 – Phishing. Retrieved 9 October
2008 from http://www.financialcryptography.com/mt/archives/000609.html
Harley, D. (2007) A Pretty Kettle of Phish. Retrieved 9 October 2008 from
http://www.eset.com/download/whitepapers/Phishing(June2007)Online.pdf
James, L. (2005). Phishing Exposed, Rockland MA Syngress Publishing.
Jennings, I. (2003) [fraud?] Security Server Update. Retrieved 15 October 2008 from
http://groups.google.com.au/group/news.admin.netabuse.sightings/browse_thread/thread/b2cbf3154a916d14/41aabb11fdcc8067?hl=en)aa
bb11fdcc8067
Keizer, G. (2005). Dutch Botnet Trio Reportedly Connected To Russian Mob. Retrieved 24
January 2007 from
http://www.techweb.com/article/showArticle.jhtml?articleId=173600331&pgno=1
Kornakov (2007) Gibson offers sneak peek into his world. Retrieved 2 March 2007 from
http://www.cambridge-news.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49b8d4-51b8c359075a.lpf
Litan, A. (2005). Increased Phishing and Online Attacks Cause Dip in Consumer Confidence.
Gartner Research. Gartner.
McCombie, S., Watters, P.A., Ng, A. & Watson, B. (2008) Forensic Characteristics Of
Phishing – Petty Theft or Organized Crime?, Proceedings of the 4th International
Conference on Web Information Systems and Technologies (WEBIST), Madeira,
Portugal.
Naraine, R. (2006) Return of the Web Mob. Retrieved 20 March 2007 from
http://www.eweek.com/article2/0,1895,1947561,00.asp
Ramzan Z. (2007) A Brief History of Phishing: Part I, Retrieved 9 October 2008 from
https://forums.symantec.com/syment/blog/article?message.uid=306505
Rohrich R. (2003) CRIME Fwd: Your account is On Hold. Retrieved 15 October 2008 from
http://lists.jammed.com/crime/2003/05/0044.html
71
Riley D. (2003) Security Server Update. Retrieved 15 October 2008 from
http://groups.google.com/group/news.admin.netabuse.sightings/browse_thread/thread/c3c46036499f48f7/95565cf69675334d?hl=encf6
9675334d
Searle, K. (2003) Netbank Security Server Update (Commonwealth Bank scam Australia)
host in FL. Retrieved 15 October 2008 from
http://groups.google.com/group/news.admin.netabuse.email/msg/11f128a770befb15?hl=en
Scheid E., (2003) FW: Security Server Update. Retrieved 15 October 2008 from
http://mailman.anu.edu.au/pipermail/link/2003-April/049438.html
Schultz, E. (2003) Email hoaxes continue to deceive users. In Computers & Security,Volume
22, Issue 5, July 2003, Pages 368-377
The Presidents Identity Theft Task Force. (2007) Combating Identity Theft: A Strategic Plan.
Retrieved 10 May 2007 from: http://www.idtheft.gov/reports/StrategicPlan.pdf.
Varghese, S. (2003) NetBank scam: why didn't Commonwealth Bank do the obvious? Sydney
Morning Herald. Retrieved 9 October 2008 from:
http://www.smh.com.au/articles/2003/03/19/1047749811735.html
Youl, T. (2004) Phishing Scams: Understanding the latest trends. Retrieved 9 October
2008 from http://www.fraudwatchinternational.com/pdf/report.pdf
Zenz, K. (2007) Uncovering Online Fraud Rings: The Russian Business Network. Retrieved
9 October 2008 from http://labs.idefense.com/intelligence/researchpapers.php
COPYRIGHT
Stephen McCombie © 2008. The author/s assign Edith Cowan University a non-exclusive
license to use this document for personal use provided that the article is used in full and this
copyright statement is reproduced. Such documents may be published on the World Wide
Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. The author
also grant a non-exclusive license to ECU to publish this document in full in the Conference
Proceedings. Any other usage is prohibited without the express permission of the author.
72
Edith Cowan University
Research Online
Australian Digital Forensics Conference
Security Research Centre Conferences
3-12-2009
Cybercrime Attribution: An Eastern European
Case Study
Stephen McCombie
Josef Pieprzyk
Paul Watters
University of Ballarat
Originally published in the Proceedings of the 7th Australian Digital Forensics Conference, Edith
Cowan University, Perth Western Australia, December 3rd 2009.
Recommended Citation
McCombie, Stephen; Pieprzyk, Josef; and Watters, Paul, "Cybercrime Attribution: An Eastern European Case Study" (2009).
Australian Digital Forensics Conference. Paper 66.
http://ro.ecu.edu.au/adf/66
This Article is brought to you by the Security Research Centre Conferences at Research Online. It has been accepted for inclusion in Australian Digital
Forensics Conference by an authorized administrator of Research Online. For more information, please contact [email protected].
73
Proceedings of the 7th Australian Digital Forensics Conference
Cybercrime Attribution: An Eastern European Case Study
Stephen McCombie1
Josef Pieprzyk2
Paul Watters3
[email protected]
[email protected]
University of Ballarat
[email protected]
Abstract
Phishing and related cybercrime is responsible for billions of dollars in losses annually. Gartner reported more than 5
million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008 (Gartner 2009). This
paper asks whether the majority of organised phishing and related cybercrime originates in Eastern Europe rather than
elsewhere such as China or the USA. The Russian “Mafiya” in particular has been popularised by the media and
entertainment industries to the point where it can be hard to separate fact from fiction but we have endeavoured to look
critically at the information available on this area to produce a survey. We take a particular focus on cybercrime from
an Australian perspective, as Australia was one of the first places where Phishing attacks against Internet banks were
seen. It is suspected these attacks came from Ukrainian spammers. The survey is built from case studies both where
individuals from Eastern Europe have been charged with related crimes or unsolved cases where there is some nexus to
Eastern Europe. It also uses some earlier work done looking at those early Phishing attacks, archival analysis of
Phishing attacks in July 2006 and new work looking at correlation between the Corruption Perception Index, Internet
penetration and tertiary education in Russia and the Ukraine. The value of this work is to inform and educate those
charged with responding to cybercrime where a large part of the problem originates and try to understand why.
Keywords
Cybercrime. Phishing. Eastern European Organised Crime.
INTRODUCTION
Phishing and related cybercrime is responsible for annual losses of billions of US dollars. Gartner reported more than 5
million U.S. consumers lost money to phishing attacks in the 12 months ending in September 2008. They have estimated
the losses in the US alone were over USD$7.5 Billion between September 2005 and September 2008 (Gartner 2009).
While the claims by a US treasury official that global cybercrime is more lucrative than illegal drugs and was estimating
at USD$105 Billion in 2004 are rather difficult to assess (Reuters 2005) there is clearly a large illegal and successful
criminal industry online. The United States Government’s October 2007 International Organized Crime Threat
Assessment (US Department of Justice 2008) saying, “International organized criminals use cyberspace to target U.S.
victims and infrastructure, jeopardizing the security of personal information, the stability of business and government
infrastructures, and the security and solvency of financial investment markets.”
This paper looks at the part in this that individuals and groups based out of Eastern Europe play and whether the majority
of organised phishing and related cybercrime indeed originates in Eastern Europe rather than elsewhere and why. With
the end of communism, Eastern Europe has seen massive changes and with the resulting power vacuum in many
countries organised crime have gained prominence. The Russian Mafiya in particular has been popularised by the media
and entertainment industries to the point where it can be hard to separate fact from fiction. While hard data is limited on
this phenomenon, there is considerable anecdotal evidence to suggest that transnational organised crime groups from
Eastern Europe are significantly involved in Phishing and related cybercrime. Their alleged involvement in these attacks
has received extensive coverage in the press with headlines like “Dutch Botnet Trio Reportedly Connected To Russian
Mob” (Kreizer 2005), “Return of the Web Mob” (Naraine 2006). However a leading security researcher and vendor
Eugene Kaspersky (from Russia himself) charged that the view of the Russian Mafiya and Russians more generally being
behind cybercrime was a “myth” (Sturgeon 2006) and that most attacks came from China and the US. While the authors
agree there is a degree of mythology around the issue there is some solid information pointing to the significant role
Eastern Europeans’ particularly Russians and Ukrainians play in the cybercrime world. This paper consists of a survey
of information available on this area build from case studies where there is some nexus to Eastern Europe including
41 | P a g e
74
looking at the first phishing attacks on Internet Banks in 2003 (McCombie 2008). We also look at other indicators
including the identity of leading spammers who are key part of the cybercrime business and other information such as the
views of law enforcement, which also seems to support this thesis. We then re-examine some archival data on 77
phishing attacks on one Australian institution in July 2006 used in work published in 2008 (McCombie 2008). Lastly we
examine the correlation of a low corruption perception index, high Internet penetration, high tertiary education levels and
Eastern European cybercrime. In this work we take a particular focus on cybercrime from an Australian perspective and
a lot of our data relates to the Australian experience. While this is convenient for Australia based researchers it also is
relevant to understand that Australia was one of the first places where Phishing attacks against Internet banks were seen.
This attack as we will discuss was, rather than a home grown problem, suspected to have originated from the Ukraine by
a known spammer. To date there has been little research into the individuals and groups behind Phishing and related
cybercrime. To effectively combat this problem we need to understand the disposition and nature of these criminals.
This paper aims to be one step in delivering this important analysis to help government and industry address this
problem.
A SURVEY OF EASTERN EUROPEAN ORGANISED CRIME & CYBERCRIME
A SHORT HISTORY OF EASTERN EUROPEAN ORGANISED CRIME
While this paper is focused on cybercrime, Eastern European crime is a much broader and more complex topic.
However any examination of Eastern European cybercrime would be incomplete without some background of this
broader issue. The Hollywood image of the ruthless Russian mafiya man who unlike the Italian Mafiosi is happy to kill
not just opponents but their family members too is truly fiction but one retold so often it is almost treated as fact (Serio
2008). However there is a long history of organised crime in Russia and Eastern Europe. In the times of the Tsar well
before the October Revolution of 1917 organised crime groups stole horses and moved them all over the then Russian
empire for sale. After the revolution these early groups while imprisoned, sort to differentiate themselves from the
political prisoners whose numbers during Bolshevik rule grew substantially. By the 1930s this Russian criminal class
were known as the Vory v Zakone “Thieves in Law” and is well documented (Varese 2001). They flourished under the
often corrupt Communist system where bribery and the black market were key elements of the society. With the end of
communism and the privatisation of government enterprises these traditional crime gangs, along with groups of Afghan
war veterans and some former state security agents became what is now collectively known as the Russian Mafiya.
According to the Ministry of Internal Affairs of the Russian Federation, between 1990 and 2001 the number of organised
groups and criminal societies (criminal organisations), increased almost 16-fold, from 785 to approximately 12,500
(Abramova 2007). These new groups used force where the lack of the rule of law meant this was an important business
tool. They also provided real protection where law enforcement was either corrupt or simply disinterested to protect
new business entities. In fact many of the leading gangs such as Tambov in St Petersburg became a legitimate security
providers to business (Volkov 2002). By 2005, it was estimated by a Council of Europe Organised Crime Situation
Report (2005) that there were 300–400 really important criminal groups within the Russian Federation, with 15 of them
operating significant criminal network structures (Ridley 2007).
THE CRIMINALISATION OF RUSSIAN STATE SECURITY
A feature of Eastern European organised crime is the criminalisation of the state security apparatus as their influence has
grown. This has occurred partly by convenience and as many former state security agents actually joined the Mafiya
themselves some while keeping their day jobs. Tambov, mentioned above, is known to have close links with Prime
Minister Vladmir Putin’s security detail (Volkov 2002). Mark Galeotti (Galeotti 2006) suggests that former members of
the Russian Federal Agency of Governmental Communication and Information (FAPSI) - whose role was similar to that
of the US National Security Agency - were recruited by organised crime groups as computer hackers when FAPSI was
disbanded in 2003. Notably, this was around the same time phishing became a significant problem. Interviews conducted
by IDefense indicated that Russian and other Eastern European police had little interest in pursuing cybercriminals who
commit no crimes at home (Zenz 2007). In 2000, the FBI lured two Russian hackers (who tried to blackmail Michael
Bloomberg) to Seattle with job offers, then arrested them. Agents involved in the case later downloaded data from the
duo's computers, located in Chelyabinsk, Russia, over the Web. Rather than assist the investigation two years after that,
Russia filed charges against the FBI agents for hacking alleging the downloads were illegal (Grow 2005). The 2007
arrest of Vladimir Earsukov, aka Vladimir Kumarin, of the Tambov crime family, was handled by top-level FSB officials
due to concerns about local police collusion with organised crime in St Petersburg (Overseas Security Advisory Council
2009). A high ranking member of the Ukrainian Ministry of Internal Affairs noted that although the number of
Ukrainian organized crime groups had steadily decreased the remaining groups were difficult to eradicate because of
their strong connections with state officials (Finckenauer and Schrock 2004).
42 | P a g e
75
MODERN TRADITIONAL RUSSIAN SPEAKING ORGANISED CRIME
Russian organised crime is more correctly Russian speaking organised crime. Gangs exist outside of the Russian
Federation in other former Soviet Union countries such as Ukraine, Latvia and Moldova where many ethnic Russians
live. With its relatively large ethnic Russian population Latvia's underworld is dominated by gangs rooted in this ethnic
Russian community, typically linked with larger gangs in Moscow and St Petersburg. Latvia is reported to be an
increasingly important location for computer-based criminal activities, including phishing attacks (Galeotti 2005). In
Russia one of the most prominent gangs is led by Sergei Mikhailov. The Moscow-based Mikhailov’s Solntsevskaya
Organization owns banks, casinos, car dealerships, and even an airport. Solntsevskaya is believed to be behind many
cyber-related online crime activities (Nomad 2005). In St Petersburg the Tambov, Kazan, and Malyshev crime families
are the three major criminal organizations. Organised criminal activity in St. Petersburg extends into business, banking,
public services, natural resources, and even art and culture. Virtually all businesses in St. Petersburg have a roof
(protection scheme) provided by organised crime (Overseas Security Advisory Council 2009). Some of the organised
crime groups are believed to use legitimate enterprises they are involved in to support illegal activities. Tambov is
believed to have used its petrol distribution company PTK’s IT division to commit phishing attacks (Galeotti 2008).
PTK itself is a massive enterprise and was awarded its contract to supply St Petersburg when the current Prime Minister
Vladmir Putin was Deputy Mayor of the city government such is the high level influence of Tambov (Belton 2003).
Figure 1 shows the structure of Russian Organised Crime groups as described by Vadim Volkov (Volkov 2002). This is
probably more a stylised view than the strict reality as these Russian speaking organised crime groups are often known
for their lack of hierarchical structure and ability to mould to the task required. However that said it is interesting to note
the technical sub-divisions within the structure one for weapons and the other communications and cars etc. Such a subdivision could well include the former FAPSI hackers mentioned by Galeotti (Galeotti 2006). The involvement of these
groups has been recognized by numerous governments, the US President’s Identity Theft Task Force, set up to combat
phishing and other identity, theft reported in 2007 (The Presidents Identity Theft Task Force 2007),
“Law enforcement agencies … have seen increased involvement of foreign organized criminal groups in computer- or
Internet-related identity theft schemes.”
Figure 1. Structure of the (Russian) Organized Criminal Group (Volkov 2002).
Groups from the Russian Federation, the Ukraine and Romania were identified by the US Secret Service as being
responsible for a number of the attacks (The Presidents Identity Theft Task Force 2007). In February 2007, Microsoft's
Chief Security Advisor in the UK, Edward Gibson (a former FBI Agent), warned “it’s not the hacker crackers you have
to worry about, but the Ukrainian mafia” (Kornakov 2007).
INTERNET CYBERCRIME
We now look more specifically at Internet Cybercrime and Eastern Europe. In September 2009 Neil Gaughan the head of
the Australian High Tech Crime Centre (AHTCC) told a parliamentary enquiry that the majority of cybercrime in
Australia is driven by organised crime gangs in Russia. Nigel Phair a team leader from the AHTCC saying in his book
(Phair 2007),
“A significant amount of internet-enabled crime including Phishing and denial of service attacks … is perpetrated from
within the states which comprise the former Soviet Union.” These views are well founded as can be seen from the
following case studies.
43 | P a g e
76
Spam Kings
Since the expansion in usage of e-mail into the mainstream, spam or unsolicited email has been a problem. In June 2009,
according to MessageLabs the global ratio of spam in email traffic was 90.4% or 1 in 1.1 emails (Messagelabs 2009). In
phishing the sending of spam is essential both to compromise bank customers and to recruit Internet Monet Mules to
launder the money obtained. While claims that most spam comes from the US and China are true (Sturgeon 2006), the
groups behind that spam are not necessarily in those countries. Spamhaus produce the Register of Known Spam
Operations (ROKSO) and they rank the top ten spamming operations based upon the ROKSO database that collates
information and evidence on known professional spam operations that have been terminated by a minimum of 3 Internet
Service Providers for spam offenses. If we look at this top 10 (Table 1) we see three entries for the Russian Federation,
two for the Ukraine and one for Estonia. Notably Russia and the Ukraine are the only countries to have more than one
entry (The Spamhaus Project 2009).
Table 1. ROKSO list of top ten spamming operations (21 July 2009) (The Spamhaus Project 2009)
‘Internet money mules’ are those who, either knowingly or unknowingly, launder money obtained from Internet fraud
and are a key part of phishing and related cybercrime. While the criminals who steal credentials can easily access Internet
Banks and perform transactions from the other side of the world they cannot necessary get the money into their own
hands so easily. They advertise for Internet money mules through spam email, Internet messaging and both fraudulent
and legitimate employment web sites. They claim to be legitimate employment opportunities with mules receiving
between 7% to 10% of funds transferred via their accounts as a commission. The cybercriminal transfers money from a
compromised bank account into the mules account. The mule, simply doing what their ‘job’ requires, transfers the
fraudulently obtained funds – minus their fee – via financial transfer services such as Western Union to an overseas
address (Aston 2009). Data collected by the Australian Federal Police indicate that over 50% of these transactions relate
to the former Soviet Union with Russia being the largest single recipient country (Martin 2007). Australian police have
had some success in arresting Internet money mules who are aware of the illegal nature of the transactions. One of the
largest investigations occurred in 2005 involving NSW and Federal Police (Walker 2006). In that particular case the
recruitment method involved a company called World Transfers Incorporated. IDefense did some investigation in their
profile of Internet Money Mules (iDefense 2006) and looked at this case. WHOIS data for the former World Transfers
Inc. domain provides a clues as to the operation's source. Contact information for http://www.world-transfers.biz follows:
Domain Name: WORLD-TRANSFERS.BIZ
Billing Contact Name: Alex Polyakov
Billing Contact Organization: Pilot Holding LLC
The Ukrainian Polyakov is as earlier stated one of the Spamhaus top ten and allegedly the man behind the first attacks on
Internet Banks in Australia (see below). This phenomenon is not just an Australian problem. In 2004 in the United
Kingdom Detective Superintendent Mick Deats, Deputy Head of the National High Tech Crime Unit, said: "Organised
Crime is targeting Internet users, and specifically Russian-speakers, in the UK to launder money stolen from online bank
accounts where people have been duped into handing over their account details. We believe … (they have in this
particular case) sent hundreds of thousands of pounds back to Russia … This is a sophisticated operation involving false
identities…(Parsons 2004)”
CYBERCRIME CASE STUDIES
Russian Business Network
Some Russian IT organisations are suspected of being purely vehicles for Internet crime such as the now infamous
Russian Business Network. A scan of RBN and affiliated ISPs’ net space conducted by VeriSign iDefense analysts
failed to locate any legitimate activity. Instead, They identified phishing, malicious code, botnet command-and-control,
44 | P a g e
77
denial of service attacks and child pornography on every single server owned and operated by RBN. To date, significant
attacks on the financial sector continue to emanate from RBN and its affiliated organizations according to iDefense (Zenz
2007).
Hangup Gang
The HangUp Team is based in Archangelsk in Russia. In 2000 the alleged original members of the team, Alexei Galaiko,
Ivan Petrichenko, and Sergei Popov, were arrested for infecting two local computer networks with malicious code. But
Russian authorities let them off with suspended sentences. In 2003 the gang released the viruses Berbew and Webber. In
2004 the group infected online stores with the Scob worm. Scob waited for Web surfers to connect, then planted a keylogging trojan and relayed thousands of passwords and credit-card numbers to a server in Russia (Grow 2005).
TJ Max/Dave & Busters Restaurant
In 2007 three men have been indicted for hacking into a number of cash registers at Dave & Buster's restaurant locations
in the US stealing data from thousands of credit and debit cards. That data that was later sold and caused more than
$600,000 in losses. Maksym Yastremskiy of the Ukraine and Aleksandr Suvorov of Estonia hacked into cash register
terminals at 11 Dave & Buster's locations and installed "sniffer" programs to steal payment data as it was being
transmitted from the point-of-sale terminals to the company's corporate offices. Later the same men were charged with
similar a breach at TJMax. Some Analysts estimated the losses at TJ Max at more than USD$1 Billion (Kerber 2007).
Doug Bem, an inspector with the U.S. Postal Inspection Service alleged Yastremskiy was a major reseller of stolen
credentials (Krebs 2008). Notably both Yastremskiy and Suvorov were arrested while visiting two countries, which
actively co-operate with US law enforcement Turkey and Germany and not at home in Eastern Europe.
E-Biz Hosting Incident 2003
On Saturday 28 December 2002 during the quiet Christmas New Year period an email purporting to be from E-Gold
support (an online Gold trading company) was spammed out to a large number of Internet users. The next victim of this
phishing attack was Commonwealth Bank of Australia (CBA) a former government owned bank in Australia. This was
the first such phishing attack against a major Internet Bank. On 10 April 2003 another Phishing email was sent, this time
targeting ANZ. On 12 May 2003 a Phishing email was sent out targeting Bank of America. It again used similar text to
the attacks on E-Gold, CBA and ANZ. On 4 July 2003, US Independence Day Westpac Bank become subject of a similar
Phishing attack and at the same time ANZ received its second attack (McCombie 2008).
E-Biz Hosting Solutions was the domain owner of the domain used in the Westpac and both ANZ sites and appeared to
have issued the https certificate for the e-Gold web site and managed the IP space for the CBA site. The Vice-President
of the company was listed as Maxim Unger from Odessa Ukraine. Alex Mosh also from Odessa Ukraine was listed as
CTO (McCombie 2008). Alex Mosh AKA Alex Polyakov is listed on the spamhaus Register of Known Spam
Organisations (ROKSO) top ten list as of spammers above.
Ruslan Ibragimov
Ruslan Ibragimov is a Russian based in Moscow. Spamhaus credit him as “One of the largest criminalmethods/botnet/proxy hijack spamming operations around.” Apart from his own spamming operations he and his group
authored the spam sending tool send-safe mailer. He is also believed to be the author of the malware Sobig in 2003
(Author Travis Group 2005). It was released in August 18, 2003 and infected hundreds of thousands of computers within
just a few short hours. W32.Sobig.F@mm was a mass-mailing, network-aware worm that sent itself to all the email
addresses it could find, worldwide. Within two days after Sobig was released, an estimated $50 million in damages were
reported in the US alone. China had reported over 30% of email traffic had been infected by Sobig, equivalent to over 20
million users. After interrupting freight operations and grounding Air Canada, Sobig went on to cripple computing
operations within even the most advanced technology companies, such as Lockheed Martin (Author Travis Group 2005).
BlueSecurity DDoS
In 2006 Blue Security was an anti-spam company based in Israel and California. It had an original idea to stop spam.
They would send requests to stop sending spam to spammers each time they sent spam to their customers. This caused a
lot of problems for the spammers who found they were having serious capacity issues with Blue Security sending these
messages on behalf of more than 500,000 customers. While this virtual vigilante system of spamming the spammers was
controversial it was apparently quite legal. The response from the spammers was a DDoS attack. Blue Security
responded effectively initially but with the time the attack grew in size and sophistication. BlueSecurity had to turn to
others for support. When Blue Security got the Prolexic DDoS protection which washed their traffic the spammers
merely turned their DDos on Prolexis’ DNS which shut them down and many of their customers who used their service.
The result was Blue Security had to go it alone. Shortly after and as a result the CEO decided to shut the company down
(Krebs 2006). Both Polyakov and Ibragimov are suspected to have been behind these attacks.
45 | P a g e
78
Estonia DDoS
On 26 April 2007 the Estonia government moved a Soviet WW2 memorial from the centre of its capital to a cemetery on
its outskirts. To Russians at home and in Estonia it was an outrage. Russians treat the memory of the war dead from
WW2 as sacred. Amongst other protests Estonian systems came under DDoS attack from large amounts of ICMP traffic.
While the Estonian Government claimed the attack was lead by the Russian Government it appears more that a number
of technically savvy members Russian ethnic community within Estonia and elsewhere urged on by a number of Internet
posting were responsible (Lesk 2007).
NAB, Westpac, AusCERT, Malaware DDos Attacks
While the Estonian and BlueSecurity DDoS attacks would appear to have little nexus to Australia, DDoS as a tool of
retribution has been seen in Australia a number of times. In October 2006 National Australia Bank (NAB) suffered a
DDos as result of its efforts to frustrate phishing gangs in Eastern Europe and some claimed the infamous RBN were
responsible for the attacks (Zenz 2007). Information from law enforcement officials to Janes Intelligence indicated the
attacks were from Russia by groups also responsible for a number of blackmail DDoS attacks on online betting houses
(Karrstrand 2007). Shortly after AusCERT and Malaware who both assist in anti-Phishing and anti-trojan efforts for
Banks were DDosed. Then in September 2007 Westpac Bank suffered an attack with similar traffic patterns not long
after their new cybercrime response team was established and operating against phishing gangs (Winterford 2007).
PHISHING EMAIL ANALYSIS
In work published in 2008 (McCombie 2008) email data from one month of Phishing attacks against one Australian
financial institution in July 2006 were examined. This consisted of 77 discrete attacks on that organisation. Each attack
involved a different URL set up at a different time and spammed out to extensive spam lists. The work examined the
email source of the hooks, the phishing pages where available and other archival data stored by the organisation or
otherwise archived on the Internet. The main purpose of the exercise was to see if grouping was feasible. This proved
to be the case with 6 particular profiles or groups which accounting for all but 2 of the attacks (McCombie 2008). The
authors using unpublished data from that work looked at timezone data in a number of the emails in that dataset.
Timezone Analysis
The timezones GMT + 3 (22 incidents) or GMT + 2 (14 incidents) were present in 36 of 62 incidents where a time zone
was present. Many of these instances involved Group 1 identified in the study (McCombie 2008) who accounted for 42%
of the 77 incidents. GMT +3 is the time zone of Ukraine in summer (EEST) and GMT + 2 (EET) the rest of the year.
The time zone value was set by the email client in the body of the email rather than in the header by the SMTP server.
The SMTP time zone value while interesting merely indicates the location of the mail server used to send the email
which in most cases is a compromised system or open mail proxy and not the location of the sender which the mail client
may well indicate.
Figure 2. Timing of 63 Phishing Incidents against Australian Financial institution in July 2006.
Also during that study a virtual work day was established based on the header time set by the receiving SMTP server.
That study examined Tuesday 18 July 2006 in detail when 12 phishing incidents were observed, starting at 4.01am and
continuing to 8.59am, then followed by a break of about ten hours, followed again by three attacks from 6.44pm to
7.39pm. This may be deliberate targeting of the victim users when they access their systems in the morning and first
thing in the evening, or may again indicate the working schedule of the phishers themselves (McCombie 2008). The
authors examined unpublished header data for 63 of 77 incidents from that study. If we know look at those 63 incidents
across July we see a similar pattern of activity. In the time from midnight to 9.37am AEST and we see 45 incidents.
From 6.37pm to midnight AEST we see 12 further incidents. However from 9.37am to 6.37pm AEST we see only 6
46 | P a g e
79
incidents (3 of which occur within 17 minutes). Clearly in this period there is significantly less activity. If we convert to
EEST these 63 incidents we can see how busy times map to mid morning and to very early morning for EEST,
potentially the waking hours of the perpetrators. An argument also could also be made for later timezones such as GMT
but clearly the timing does not match the waking hours in Australia.
Windows-1251
Unpublished character set data was also examined from the July 2006 study. The Windows-1251 character set is
associated with the Cyrillic character set used in Russia and Eastern Europe. In the 5 instances where any value was
seen, 4 were Windows-1251 (the remaining was Windows-1252 the standard Latin text). All these instances involved
Group 3, which accounted for 18% of the 77 incidents. We then looked at a different Phishing Corpus, which has made
available by Jose Nazario of phishing incidents from 7 August 2006 to 7 August 2007 (Nazario 2007) to see if we could
see this value. In that corpus there were 2279 different phishing attacks, of those 904 had a value for the Windows
character set and for 693 of these the value was Windows-1251. Future research will look at this and other larger email
corpus of Phishing attacks to further assess this value to see its pre-eminence.
CORRUPTION PERCEPTION INDEX,
EDUCATION AND CYBERCRIME
INTERNET
PENETRATION,
TERTIARY
Russia and other parts of the former Soviet Union have suffered from a high level of corruption for some time. The
Transparency International Corruption Perceptions Index (CPI) is based on a number of surveys conducted globally
(Transparency International 2008). When trying to understand why Russia and Ukraine in particular seem to figure in
cybercrime incidents we decided to look for a possible correlation between high corruption, high Internet penetration and
high levels of tertiary education. As you will see this certainly shows the unique position of Russia and the Ukraine both
on in terms of absolute numbers and per capita in these areas when compared with other countries with poor (low) CPI
scores.
The Transparency International CPI ranks countries in terms of the degree to which corruption is perceived to exist
among public officials and politicians. It is a composite index, a poll of polls, drawing on corruption-related data from
expert and business surveys carried out by a variety of independent and reputable institutions. The CPI reflects views
from around the world, including those of experts who are living in the countries evaluated. The lower the score the
worse the perception of corruption in that country (Transparency International 2008). We then added information
relating to Internet penetration gathered by International Telecommunications Union (International Telecommunication
Union 2008) for each country for listed in the CPI ranking. We then added data relating to the level of Tertiary
Education from the World Bank (World Bank 2007). The CPI rating and Internet data relate to 2008 and the Tertiary
education data relates to 2007.
In 2008 Russia has more than 30 million Internet subscribers with a penetration of over 20 users in 100. Ukraine while
considerably smaller still has over 6 million Internet users and penetration of over 13 users in 100. At the same time they
are both listed in bottom 25% of countries by corruption perception, Russia scoring 2.2 being 147/181 and Ukraine
scoring 2.5 being 134/181. They also have very high levels of enrolment in tertiary education. Russia having over 9
million enrolled and 72.3% of students enrolled of the relevant age group or Gross Enrolment Ratio (GER). Ukraine has
nearly 3 million and 72.8% GER.
While countries like China have far higher numbers of Internet subscribers (150 million) their CPI sits a lot better at 3.6
at 72/181 with a GER of a mere 21.6%. This makes Russia and Ukraine relatively unique. Even Nigeria with its
reputation as the home of the 419 scams and West African Crime actually sits higher on the CPI at 121/181 scoring 2.5
but with only 115 thousand Internet subscribers and a tiny penetration of 0.08 users in 100 and a GER of 10.2%. In
Table 2 shows all countries ranked by CPI score with greater than 1.5 million Internet Subscribers by CPI including
tertiary figures. This shows the unique position of Russia and the Ukraine.
47 | P a g e
80
Table 2. Countries ranked by CPI Score (lowest to highest), Internet Subscribers (>1.5 Million) showing
enrolment in Tertiary Education
48 | P a g e
81
CONCLUSION
It is acknowledged that the above discussed data analysis work is not alone conclusive as to the source of phishing and
related cybercrime. However if viewed in conjunction with the survey information and other supporting material it
certainly presents a compelling argument of the major role played in Phishing and related cybercrime by Eastern
European individuals and groups. Eastern Europe’s situation has made it particularly suited to the development of
cybercrime groups. High levels of technical education reflected in the high GER, a period economic uncertainty and
downturn, a breakdown of state institutions, and an established tradition of criminal gangs have all contributed. It is
interesting to note Romania, which was identified in association with EBay auction fraud (Warne 2007), has now
improved its situation with the prosecution of a number of cybercriminals in that country (Goodin 2008). Romania now
has a healthy CPI of 3.8, by Eastern European standards, up from 2.8 in 2003. Both these developments seem to have
been a result of the closer ties with the European Union, the USA and the west generally. It however seems that as long
as Ukraine and Russia remain outside of this type of influence it is going to be difficult for western governments and
more particularly western law enforcement to have much impact on individuals and groups in these countries committing
cybercrime. The Russian and Ukrainian Governments would appear to have the capacity to deal with the problem just not
the incentive.
REFERENCES
Abramova, I. (2007). "The Funding of Traditional Organised Crime in Russia." Economic Affairs 27(No.1): 18-21.
Aston, M., McCombie S., Reardon B., and Watters P. (2009). A Preliminary Profiling of Internet Money Mules: An
Australian Perspective. Cybercrime and Trustworthy Computing. Brisbane.
Author Travis Group. (2005, September 2005). "Who Wrote Sobig? ." from http://authortravis.tripod.com/.
Belton, C. (2003, 2003). "New Book Poses Question of
http://www.sptimes.ru/index.php?action_id=2&story_id=11164.
Putin's
Links
with
Underworld."
from
Finckenauer, J. O. and J. L. Schrock (2004). The prediction and control of organized crime : the experience of postSoviet Ukraine. New Brunswick, N.J., Transaction Publishers.
Galeotti, M. (2005, 24 May 2005). "Russian mafiya become more active in Eastern Europe." from
http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n.shtml.
Galeotti, M. (2006). "The Criminalisation of Russian State Security." Global Crime 7(Number 3-4).
Galeotti, M. (2008). Interview with Author.
Gartner. (2009). "Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40 Percent in 2008." from
http://www.gartner.com/it/page.jsp?id=936913.
Goodin, D. (2008). "Notorious eBay hacker arrested in Romania." from
http://www.theregister.co.uk/2008/04/18/vladuz_arrested/.
Grow, B. (2005). "Hacker Hunters: An elite force takes on the dark side of computing " Retrieved 20 August, 2009,
from http://www.businessweek.com/magazine/content/05_22/b3935001_mz001.htm.
iDefense (2006). Money Mules: Sophisticated Global Cyber Criminal Operations Verisign.
International Telecommunication Union. (2008). "Internet indicators: subscribers, users and broadband subscribers:
2008." from http://www.itu.int/ITUD/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear
=2008&RP_intLanguageID=1.
Karrstrand, K., Jonsson, M. (2007). "The Baltic connection - Money laundering in the Baltic region
." Janes Intelligence Review.
Kerber, R. (2007). "Suspect named in TJX credit card probe: Ukrainian's arrest seen as break in record fraud case." from
http://www.boston.com/business/globe/articles/2007/08/21/suspect_named_in_tjx_credit_card_probe/.
49 | P a g e
82
Kornakov, P. (2007). "Gibson offers sneak peek into his world." from http://www.cambridgenews.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49-b8d4-51b8c359075a.lpf.
Krebs, B. (2006). "In the Fight Against Spam E-Mail, Goliath Wins Again." from
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR2006051601873.html.
Krebs, B. (2008). "Three Charged With Hacking Dave & Buster's Chain ", from
http://voices.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_dav.html.
Kreizer, G. (2005). "Dutch Botnet Trio Reportedly Connected To Russian Mob."
Lesk, M. (2007). "The New Front Line: Estonia under Cyberassault." IEEE Security and Privacy 5(No.4 July/Aug.
2007): pp.76-79.
Martin, S. (2007). International Field Report : Australia. 2007 APWG General Members Meeting. Pittsburgh PA.
McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks. 6th Australian Digital
Forensics Conference. Perth.
McCombie, S., Watters, P. , Watson, B. & Ng, A. (2008). Forensic Characteristics of Phishing - Petty Theft or
Organized Crime. WEBIST Conference Funchal Portugal pp149-157
Messagelabs. (2009). "MessageLabs Intelligence: July 2009." from
http://www.messagelabs.com/resources/mlireports.
Naraine, R. (2006). "Return of the Web Mob." from http://www.eweek.com/article2/0,1895,1947561,00.asp.
Nazario, J. (2007). "Phishing Corpus." from http://monkey.org/~jose/wiki/doku.php?id=PhishingCorpus.
Nomad, S. (2005). "Organized Cybercrime." from
http://www.dc214.org/notes/june_2005/dc214_sn_orgcrime.ppt.
Overseas Security Advisory Council (2009). Russia 2009 Crime & Safety Report: St. Petersburg, Overseas Security
Advisory Council.
Parsons, M. (2004). "Twelve arrested for laundering phished funds." Retrieved 1 September, 2009, from
http://news.zdnet.co.uk/security/0,1000000189,39153687,00.htm.
Phair, N. (2007). Cybercrime : the reality of the threat. Kambah, A.C.T., Nigel Phair.
Reuters. (2005, November 29, 2005). "Cybercrime now bigger than the drug trade." from
http://www.smh.com.au/news/technology/cybercrime-now-bigger-than-the-drugtrade/2005/11/29/1133026443366.html.
Ridley, N. (2007). "Financial Crime Trends in Central and Eastern Europe." Economic Affairs 27(No. 1 March 2007):
pp. 22-26.
Serio, J. D. (2008). Investigating The Russian Mafia. Durham NC, Carolina Academic Press.
Sturgeon, W. (2006). "Analysis: A globetrotter's guide to cyber crime." Retrieved 30 July, 2009, from
http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158777,00.htm.
The Presidents Identity Theft Task Force (2007). Combating Identity Theft: A Strategic Plan. 2007.
The Spamhaus Project. (2009). "The 10 Worst ROKSO Spammers." Retrieved 21 July, 2009, from
http://www.spamhaus.org/statistics/spammers.lasso.
Transparency International. (2008). "Corruption Perceptions Index 2008." from
http://www.transparency.org/policy_research/surveys_indices/cpi/2008.
US Department of Justice (2008). Strategy to Combat International Organized Crime.
50 | P a g e
83
Varese, F. (2001). The Russian mafia : private protection in a new market economy. Oxford, England ; New York,
Oxford University Press.
Volkov, V. (2002). Violent entrepreneurs : the use of force in the making of Russian capitalism. Ithaca, Cornell
University Press.
Walker, F. (2006). Gone phishing ... gangs using Aussie kids to steal millions. Sydney Morning Herald. Sydney.
Warne, D. (2007). "Romania a global hotspot for eBay fraud." APC Magazine May 2007. from
http://apcmag.com/romania_a_global_hotspot_for_ebay_fraud.htm.
Winterford, B. (2007, 19 June 2007). "Westpac hit by DoS attacks." from
http://www.zdnet.com.au/news/security/soa/Westpac-hit-by-DoS-attacks/0,130061744,339278748,00.htm.
World Bank. (2007). "Education Statistics 2007 Version 5.3." 2007. from
http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTEDUCATION/EXTDATASTATISTICS/EXT
EDSTATS/0,,menuPK:3232818~pagePK:64168427~piPK:64168435~theSitePK:3232764,00.html.
Zenz, K. (2007). Global Threat Research Report: Russia. iDefense Security Report. iDefense, Verisign.
Zenz, K. (2007). Uncovering Online Fraud Rings: The Russian Business Network. iDefense Security Report. IDefense,
Verisign.
COPYRIGHT
Stephen McCombie, Josef Pieprzyk, Paul Watters ©2009. The author/s assign SECAU & Edith Cowan University a
non-exclusive license to use this document for personal use provided that the article is used in full and this copyright
statement is reproduced. The authors also grant a non-exclusive license to the SECAU & ECU to publish this document
in full in the Conference Proceedings. Such documents may be published on the World Wide Web, CD-ROM, in printed
form, and on mirror sites on the World Wide Web. Any other usage is prohibited without the express permission of the
authors.
51 | P a g e
84
Figure 4.1: Mazafaka Carders Forum (Simple Nomad 2005)
Chapter 4
THE CYBERCRIME MARKETPLACE
85
CHAPTER 4 THE CYBERCRIME MARKETPLACE
4.1
Introduction
The previous chapter looked in detail at the first Internet bank phishing attacks, how this
phenomenon changed the crime paradigm and what features make Eastern Europe an ideal base
from which to instigate transnational cybercrime. This chapter explores the cybercrime market,
which supports phishing and related cybercrime by providing a market for the various tools needed
for phishing and for laundering the proceeds of that cybercrime.
With hacking for profit becoming the dominant motive for cybercrime in the early 2000s, an active
online market was established for trade in compromised credentials, compromised systems, exploit
code, crimeware and other resources facilitating phishing and carding (Cox 2002). In 2002, United
States law enforcement undertook “Operation Firewall”, a significant operation infiltrating online
markets and resulting in the prosecution of a number of involved US residents. Efforts to pursue
Eastern European suspects were less successful (Menn 2010) due some prevailing legal and political
issues which are further explored in Chapter 6.
4.2
The evolution of the cybercrime marketplace
In the hacking world, well before the Internet became mainstream, interaction between members of
the hacking community was an important method to learn new skills, exchange information on
technical exploits and even recruit accomplices to compromise systems. Early hackers, who were
often also skilled phreakers (hackers of phone systems), used the telephone system to communicate
with each other (often across the globe) but soon moved to the digital realm and Internet Relay Chat
(IRC) became the standard method of communication in the hacking community. During one of the
bombing resumptions against Iraq in February 1998 the US Air Force found many of its bases under
an electronic attack by an unknown enemy. At first it was thought to be some Iraqi information
warriors. The source of the attacks turned out to two Californian teenagers. Investigations also
revealed an Israeli citizen had met, then encouraged and assisted them in their cyber attacks using
Internet Relay Chat, never having met them in person (Power 2000).
4.3
Scope and Products
While early use of IRC related to coordinating, collaborating and teaching new skills, some IRC
channels eventually became markets for various illicit goods and services. One of the earliest
commodities made available (still available today in significant volumes) was credit card numbers.
Credit card numbers in large quantities, often compromised from poorly secured E-Commerce
servers, could be readily bought and sold, if not sometimes even just simply given away. Many online services and products could be purchased using no more than such stolen credentials. At the
time, various counter-measures, such as the ability to check billing addresses and CVCs, were either
not available or only available in some countries. Indeed, there are many cases of phishing websites
having themselves been established with legitimate webhosting companies using compromised
credit cards. Commonly, by the time these frauds were discovered the site had already served its
illicit purpose. Other than IRC, web forums were used as marketplaces for trade in cybercrime tools.
One such example can be seen on the title page for the Mazafaka Carders Forum (Simple Nomad
2005). By late 2003, the growth and success of Internet Bank phishing attacks brought the phishers
86
difficulties in themselves illicitly using all the captured credentials they had obtained and so, like
credit card numbers, these too were on-sold in the cybercrime market. The rise of banking Trojans
(particularly the less discriminating ones which key logged all sorts of credentials) brought the
availability of an even greater number of Internet banking credentials. Drawn from the customers of
Banks all over the world (sometimes not targeted by the phishers), phishing groups, to whom they
became available, sold them in the cybercrime market. Other items of use for phishing attacks and
other cybercrime were also bought and sold, including email lists for spamming, e-mail servers for
sending the spam, proxies to hide the source of activity and other compromised systems. More
technical products such as new exploit code, Trojan code and assembled botnets were also bought
and sold. Table 4.1 below shows an example of the pricing of various goods and services offered for
sale.
Table 4.1: Goods and services offered for sale on an underground economy IRC market (Herly 2010)
4.4
Commoditisation of Credentials
In the cybercrime marketplace, captured credentials became a common commodity for trade. What
in effect had been established was a factoring business in credentials. As in debt factoring, phishers
came to sell credentials for a portion of the potential total proceeds their illicit use could deliver. On
some estimates, sales prices were as little as 5% of the face value (Holt 2006; Franklin 2007; Herly
2008) to someone who will cash in the credentials using Internet money mules and a transfer agent
like Western Union to repatriate the funds. Other research (Herly 2010) suggests because the
bottleneck is in recruiting Internet money mules and this part of the process is key to its success, it
should be the focus of response efforts. Chapter 6 examines this and other similar strategies
suggested as more effective counter-measures than the technical controls where a majority of
resources are currently directed.
4.5
Analysis
To better understand phishing and related cybercrime this chapter looks more closely at some of the
channels where stolen credentials and other items are traded. For the research, titles of IRC
channels on the undernet.org (a popular underground IRC server) were obtained. From earlier
research it was known the channels were often rather obviously named, with names like #bank,
#creditcards etc. From these channels, the “nicks” (nicknames) of users advertising cybercrime
goods and services were identified. Other channels where these nicks operated were then
examined. Using this method, two highly active channels “#cc power” and “#cashers” were
87
identified and logged in full for a 24 hour period. Figure 4.2 below shows a selection of “#cc power”
IRC channel on 16 June 2009. From analysis of this data an initial methodology for further
understanding of how credentials are traded in online marketplaces was developed and is described
in section 4.7 under the title "A methodology for analyzing the credential marketplace". While only
English and Romanian messages were present, it is assumed Russian speakers communicate in
English on these channels due to incompatibility of their character set and may also use Russian-only
language channels for other trade. Further research could look for features of English spoken by
native Russian speakers in these channels to see if this assumption holds true.
Figure 4.2: Transcript of “#cc power” IRC Channel, on 16 June 2009
4.6
Conclusion
This chapter has examined the online cybercrime marketplace and its role in supporting phishing and
related cybercrime. The factoring of credentials is an important aspect of phishing as it allows for
greater specialisation. Specialisation facilitates more research into circumventing various bank
authentication systems by phishing groups, while “Executives” worry about the human factors, the
88
Internet money mules and the movement of money via Western Union and Moneygram. It also
means a lower entry price as groups coming into Phishing do not require all the skills required and
can focus on one area and purchase or trade for the other services. The operation of the cybercrime
market means some bank credentials are worth more than others, if they are more easily cashed
and thus a higher portion of the face value can be realised. Abad (2006) observes:
It is no surprise that Washington Mutual, Key Bank, and various other institutions are at the
top of phishers’ lists. The tracking algorithms for these financial institutions are easily
obtained from within the phishing economy, while Bank of America, a huge financial
institution, is nearly off phishers’ radar because their encoding algorithm is very hard to
obtain or crack. According to statements by phishers, it may be based on Triple–DES, a strong
encryption algorithm. (Abad 2006)
A measure of the effectiveness of a bank’s counter measures would therefore be its credentials are
worth less in the cybercrime market. Measuring these values may well help validate the
effectiveness of the counter-measures each institution takes. The next chapter examines further
supporting data for the attribution of phishing and related cybercrime to Eastern Europe, by
examining the features within available phishing artefacts and, in particular, within phishing emails.
4.7
References
89
The current issue and full text archive of this journal is available at
www.emeraldinsight.com/1368-5201.htm
JMLC
14,1
A methodology for analyzing
the credential marketplace
Paul A. Watters
32
Internet Commerce Security Laboratory (ICSL), University of Ballarat,
Ballarat, Australia, and
Stephen McCombie
Centre for Policing, Intelligence and Counter Terrorism (PICT),
Macquarie University, Sydney, Australia
Abstract
Purpose – Cybercrime has rapidly developed in recent years thanks in part to online markets for tools
and credentials. Credential trading operates along the lines of a wholesale distribution model, where
compromised credentials are bundled together for sale to end-users. Thus, the criminals who specialize
in obtaining credentials (through phishing, dumpster diving, etc.) are typically not the same as the
end-users. This research aims to propose an initial methodology for further understanding of how
credentials are traded in online marketplaces (such as internet relay chat (IRC) channels), such as typical
amounts charged per credential, and with a view to preliminary profiling, especially based on language
identification.
Design/methodology/approach – This research proposes an initial methodology for further
understanding of how credentials are traded in online marketplaces (such as IRC channels), such as
typical amounts charged per credential, and with a view to preliminary profiling, especially based on
language identification. Initial results from a small sample of credential chatroom data is analysed using
the technique.
Findings – The paper identified five key term categories from the subset of the 100 most frequent
terms (bank/payment provider names, supported trading actions, non-cash commodities for trading,
targeted countries and times), and demonstrated how actors and processes could be extracted to identify
common business processes in credential trading. In turn, these elements could potentially be used to
track the specific trading activities of individuals or groups. The hope in the long-term is that we may be
able to cross-reference named entities in the credential trading world (or a pattern of activity) and
cross-reference this with known credential theft attacks, such as phishing.
Originality/value – This is the first study to propose a methodology to systematically analyse
credential trading on the internet.
Keywords Fraud, Theft, Crimes
Paper type Research paper
Journal of Money Laundering Control
Vol. 14 No. 1, 2011
pp. 32-43
q Emerald Group Publishing Limited
1368-5201
DOI 10.1108/13685201111098860
I. Introduction
Transational and organized crime represent a serious threat to the social and political
norms of nation-states and their structural cornerstones, such as banks and other
financial institutions. Typically, such groups avoid politics to focus on generating
revenue and profit, the impact of their operations is far from victimless – corruption,
conflict and unchecked violence can lead to the collapse of civil society (Sullivan and
Bunker, 2002). Organized crime entrepreneurs such as the Russia Mafiya have been
This work was supported in part by the Australian Federal Police, Westpac Banking
Corporation, IBM, the State Government of Victoria and the University of Ballarat.
90
quick to identify opportunities for fraud the now ubiquitous internet provides
(McCombie et al., 2009). Early cybercrime was about youthful exploration and “bragging
rights” but now the motive is criminal profit (McCombie et al., 2008). Organized crime
can target victims anywhere in the world while remaining based in their home countries
outside of the reach of western law enforcement. They do this by taking advantage of the
weaknesses in the nature of internet, cross-border policing and the relatively open nature
of global financial systems (McCombie and Pieprzyk, 2010).
Cybercrime is supported by extensive markets for goods and services to support this
criminal activity. You can go online and purchase vulnerabilities, exploit code, botnets
and other tools to commit cybercrime. In addition, the fruits of this cybercrime are also
available in these online markets (McCombie et al., 2008). Compromised credentials are a
commodity. Such is the specialization some individuals and groups focus just on
“cashing out” compromised credentials. That is using those credentials to commit online
fraud and launder the proceeds back to another jurisdiction..This paper concerns the
analysis of one of the most insidious “products” that are bundled and sold openly
through internet-based marketplaces – those sets of credentials that can be used to
operationalize identity theft and subsequent identity fraud on a large-scale.
The credential marketplace provides a mechanism for “suppliers” of credential
“products” the means to on-sell these at a wholesale level to interested parties. The
marketplace is extremely liberal and attractive to suppliers: it is largely anonymous,
operates transitionally, and there are no fees, charges or taxes levied. The structure can
evolve rapidly in response to law enforcement operations, and provide an excellent
example of an asymmetric threat, operated by small numbers of players through a
network structure, which can resist hierarchically organized nation-states and coalitions
(Arquilla and Ronfeldt, 2001).
The wholesale trade in credentials is a serious concern for law enforcement, as it
provides a mechanism for large-scale attacks to be undertaken against sets of typically
aggregated targets.
Credential trading can potentially occur on any online forum; in this paper, we focus
on trading activity conducted through internet relay chat (IRC) channels, since IRC
provides a ready and somewhat anonymous means for suppliers and consumers to
interact and “meet” each other, although social networking, web sites and secure portals
are all potential sources for “dealing”. On IRC, users identify themselves using an
arbitrary “nick” (name) (Bechar-Israeli, 1995) and connect to a specific channel, where
public messages can be broadcast to all members of the channel who are monitoring it.
Private messaging is also supported.
The goal of this paper is to outline a methodological approach for analyzing the
credential marketplace. Given the ever-shifting nature of the marketplace, it is difficult
to provide definitive answers to who trades credentials, but we believe that – by using a
systematic methodology – at least some of the parameters of credential trading can be
estimated over time.
II. Procedure for analysis
A. Approach
The methodological approach is based on simple text analysis, and integration between
a number of different analytical tools. We believe that the functional requirements for
each sub-system can be articulated; however, the accuracy of each sub-system will affect
The credential
marketplace
33
91
JMLC
14,1
34
the overall performance of the system, and our preliminary results indicate that further
refinement is required, especially in the area of language identification from small
samples.
The approach begins with a log of IRC samples from channels known to be involved
in credential trading. Once these channels have been identified, all public activity can be
logged.
Once sufficient data have been logged from the channels, three key pieces of data
can be extracted:
(1) the user’s “nick”;
(2) time/date of posting; and
(3) message content.
This modest data segmentation can be used to analyze the data in any number of ways,
including:
.
Counting the number of times a specific “nick” has posted any message during a
certain time period.
.
Counting the number of times a specific “nick” has posted the same message
during a certain time period.
.
Counting the number of times a specific entity is named during a certain time
period, such as a bank name, or credit card name.
.
Identifying which terms are likely to characterize credential trading activity
using term frequency analysis.
.
Examining lexical patterns in messages to determine the highest frequency
combinations of terms that might indicate specific types of trading.
.
Identifying the language(s) used in each message, and determining the
proportion that certain languages were used during a certain time period.
In the following sections, we outline some approaches to applying several of these
techniques to credential trading from IRC logs, before illustrating how they can be
applied to real data.
B. Term frequency analysis
Term frequency analysis involves translating each message into a message £ term
matrix, and incrementing the appropriate matrix entry each time a token matching that
term is encountered after parsing each message (Spärck Jones, 1972). By adding all
frequencies for each message, a term-frequency list can be generated and sorted in
descending order. The frequency of terms will likely follow Zipf’s Law (Eftekhari,
2006), i.e. the rank of the term will be inversely proportional to its frequency. After
words from a “stop list” are applied to this list, the residual most frequent terms can be
considered to characterize the terms involved in credential trading. If these terms are
compared to term lists from non-credential trading activity, it may be possible to
establish prior probabilities and employ Bayes’ Theorem to build a reliable classifier
(Ho and Watters, 2004). Such a classifier could be used as part of a crawler to flag
web sites, IRC logs or other unstructured text databases which may be related to
credential trading.
92
C. Lexical pattern analysis
Lexical analysis goes beyond term frequency analysis and investigates term collocation,
where various statistical measures (such as the log-likelihood score) can be used to
determine whether collocated terms are of interest. In the context of credential trading,
we propose to examine the most significant n-grams of the most frequent terms
extracted from the term frequency analysis. This should provide more syntactic insight
into the mechanics of the offer process that traders are utilizing. For example, if the term
“BankX” is frequent, then examining a 5 gram might reveal patterns of trading such as
“cashout BankX for money orders” or “5,000 BankX cardnumbers for $10,000”.
If sufficient data can be aggregated, over specific time periods, then the details of the
trading activity could be potentially be characterized quite accurately. In addition, it may
be possible to derive business processes by extracting terms that represent static feature
elements as proposed by Stabek et al. (2009). For example, if the terms “scam”, “money
transfer”, “bank” and “phishing” were collocated, then these could potentially be
sequenced to infer a standardized business process.
D. Geographic profiling
If we can profile the type of “trades” that occur using n-gram analysis, a further
extension to the methodology would be to begin determining the geographic distribution
of the traders. This technique has been successfully used in Australia to build a
preliminary geographic profile of money mules (Aston et al., 2009). While it may be
possible to gather IP addresses, the use of anonymization techniques makes it difficult to
trace these with any level of reliability. However, by observing IRC logs, we have noted
that there is a diverse range of language groups represented; by performing automatic
language identification, it may be possible to link the messages to specific region(s)
where that language is spoken. This may be important in understanding the threat
profile for “BankX” and could assist with their decision making with regarding to more
targeted intelligence gathering, counter-measures and/or prosecution. For example,
expected geographic and/or linguistic profiles could be generated from close
examination of the structure and operating bases of known organized crime groups
(McCombie et al., 2009).
III. Results
A. Data
To illustrate the utility of this methodology, preliminary data were obtained from eight
known IRC credential trading channels which were monitored for a period of two days,
providing a total of 3,165 messages. The logged output from these channels was then
aggregated and analyzed using the techniques described in Section II.
B. Term frequency analysis
The top 100 terms are shown in Table I, along with their respective frequency counts. No
stopwords were removed from the list, but literal numbers have been deleted. A simple
categorization scheme can be derived from examining the most frequent terms:
(1) names of banks or payment providers {egold, chase, WellsFargo, boa, paypal};
(2) actions supported in trading {cashout, billpay, split, selling};
(3) non-cash commodities {logins, root’s, uid, gid};
The credential
marketplace
35
93
JMLC
14,1
36
Table I.
Term-frequency analysis
Frequency
Term
2,398
2,336
1,847
1,845
1,254
1,251
1,137
1,124
1,053
891
791
746
728
703
700
675
661
652
649
624
610
610
608
597
595
592
587
585
585
574
566
563
563
562
561
561
561
561
561
561
561
561
473
385
383
286
275
271
261
254
I
also
cashout
can
has
for
US
UK
me
msg
in
share
your
need
is
bank
fresh
info
or
joined
IRC
quit
deal
egold
logins
good
more
minutes
us
uk
sell
w
billpay
cvv’s
BANKS
tf
supplier
longterm
300 þ
msr206
fulls
plasticards
email
net
split
ebay
care
extractor
and
, Bankers .
(continued)
94
Frequency
Term
248
240
227
226
223
222
187
185
175
165
150
138
138
137
129
126
122
121
118
112
107
107
105
105
105
103
103
103
103
100
99
99
99
99
99
98
97
96
95
95
93
92
91
87
87
84
82
81
78
78
urgent
are
any
Danyûser
` cumpar
sa
, Bankz .
chase
de
prv
visa
pe
si
php
WellsFargo
, Spay .
boa
with
full
sets
mode
mid
scot
america
day
BLACKMARKET
if
cashier
com
root’s
uid
up
gid
, Trader .
e b11Selling
pick
name
b
11
by
of
out
pm
paypal
zumer
cu
mail
U
TheAnt
Crowler
The credential
marketplace
37
Table I.
95
JMLC
14,1
38
(4) targeted countries {US, UK};
(5) credentials to be traded {cvv’s, visa, zumer, ebay}; and
(6) time {pm, urgent, minutes, longterm}.
C. Lexical pattern analysis
Taking the terms that fall under each of the categories identified in the previous section,
we now analyze lexical patterns using n-grams for key terms, and extracting the top
5 items (based on frequency). Initially, though, it is useful to take a global view of phrases
and their frequencies in the data. Table II shows the top 5 n-grams for n ¼ 1, 2, . . . 5.
(1) Names of banks or payment providers. Bi-grams were calculated for the terms
{egold, chase, WellsFargo, boa, paypal}. As an illustration, Table III shows the top
5 n-grams for n ¼ 5 and the term “paypal”. It is interesting to note the collocation
Frequency
Table II.
Lexical pattern analysis
Table III.
Lexical pattern analysis
– banks or payment
providers
n¼2
2,319
1,138
822
727
634
n¼3
1,122
634
610
585
577
n¼4
567
567
561
561
561
n¼5
567
561
561
561
561
Collocation
I also
also cashout
msg me
your share
share is
I also cashout
your share is
has quit irc
in 15 minutes
can cashout fresh
me for more info
msg me for more
cashout fresh us uk
fresh us uk cvv’s
also cashout bank logins
msg me for more info
need good supplier for longterm
good supplier for longterm deal
is 80 I also sell
longterm deal msg me for
Frequency
Collocation
21
21
13
13
13
chase paypal ccbill com scam
paypal ccbill com scam page
mailer ccvs paypal wu bugs
ccvs paypal wu bugs drops
paypal wu bugs drops im
Note: n ¼ 5
96
of terms and how they suggest scam business processes: compromised bank or payment
provider accounts associated with means of communication (e.g. im) and/or means of
cashing out (e.g. drops).
(2) Actions supported in trading. Taking the terms that fall under each of the
categories identified in the previous section {cashout, billpay, split, selling}, we now
analyze lexical patterns using n-grams. As an illustration, Table IV shows the top
5 n-grams for n ¼ 5 and the term “sell”. In this example, a magentic stripe reader
(MSR206) is being offered for sale with 300 plastic card blanks.
(3) Non-cash commodities. Taking the terms that fall under each of the categories
identified in the previous section {logins, root’s, uid, gid}, we now analyze lexical
patterns using n-grams. As an illustration, Table V shows the top 5 n-grams for n ¼ 5
and the term “root’s”. Here, the seller is trying to trade access to compromised webserver
accounts with full root (UID ¼ 0) access, typically of interest to phishers.
(4) Targeted countries. Taking the terms that fall under each of the categories
identified in the previous section {US, UK}, we now analyze lexical patterns using
n-grams. As an illustration, Table VI shows the top 5 n-grams for n ¼ 5 and the term “uk”.
Frequency
Collocation
561
561
561
561
561
is 80 I also sell
80 is also sell msr206
i also sell msr206 w
also sell msr206 w 300
sell msr206 w 300 plasticards
Note: n ¼ 5
Frequency
Collocation
99
99
4
4
2
selling root’s with php and
root’s with php and uid
22 31 selling root’s with
31 selling root’s with php
22 36 selling root’s with
Note: n ¼ 5
Frequency
Collocation
561
561
561
561
561
uk us banks uk can
logins uk us banks uk
bank logins uk us banks
cashout bank logins uk us
also cashout bank logins uk
Note: n ¼ 5
The credential
marketplace
39
Table IV.
Lexical pattern
analysis – supported
actions
Table V.
Lexical pattern
analysis – commodities
Table VI.
Lexical pattern
analysis – countries
97
JMLC
14,1
40
Here, the trader is looking to trade UK and US bank logins and offering to cashout illicit
funds transfers.
(5) Credentials to be traded. Taking the terms that fall under each of the categories
identified in the previous section {cvv’s, visa, zumer, ebay}, we now analyze lexical
patterns using n-grams. As an illustration, Table VII shows the top 5 n-grams for n ¼ 5
and the term “visa”. This group of n-grams is notable because of the use of Romanian as
the means of communication; our observation is that Romanian is most commonly used
alongside English to conduct these transactions. “pentru orice fel de visa” means “for
any visa”, as an example.
(6) Time. Taking the terms that fall under each of the categories identified in the
previous section {pm, urgent, minutes, longterm}, we now analyze lexical patterns
using n-grams. As an illustration, Table VIII shows the top 5 n-grams for n ¼ 5 and the
term “pm”. Clearly, there is usually a sense of urgency associated with each mention of
pm – “same day”, “mail”, etc. all highlight the pressing need to convert compromised
credentials into cash.
D. Geographic profiling
As an example, we analyzed one of the channel session logs, during which there
39 unique entries, of which 71 per cent were English, and 29 per cent were Romanian
(using manual identification, to create a labeled dataset). For each entry, we used a
leading commercial language identification tool to identify the language. In 52.5 per cent
of the cases, the language was correctly identified, and in 47.5 per cent of the cases, an
incorrect identification was made. The average accuracy (as self-reported by the tool)
was 42.3 per cent, which is less than the actual accuracy. Although only Romanian and
English messages were present, Yapese, Interlingue, Flemish and Somali were also
identified. The results are shown in Table IX, including details of the actual language,
the identified language, the accuracy, and whether the assessment of the language
was correct.
Table VII.
Lexical pattern
analysis – credentials
Table VIII.
Lexical pattern
analysis – time
Frequency
Collocation
69
37
37
37
37
visa full info dar sa
pentru orice fel de visa
orice fel de visa full
fel de visa full info
de visa full info dar
Note: n ¼ 5
Frequency
Collocation
73
73
70
70
70
in same day pm fast
clean in same day pm
pm fast or mail me
day pm fast or mail
same day pm fast or
Note: n ¼ 5
98
Actual language
Identified language
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
Romanian
None
Ateso
Ateso
Somali
None
Yapese
Interlingue
Flemish
None
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
English
Accuracy (%)
0
14
14
15
0
21
25
16
0
49
56
53
81
45
32
45
63
37
53
44
55
48
46
65
53
79
98
41
55
55
55
55
55
32
55
23
35
27
55
Correct?
No
No
No
No
No
No
No
No
No
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
No
No
No
No
No
No
We have no doubt that the language identification tool we selected was robust and in
wide use. However, given that the entries for analysis are typically around 10-30 words
in length, it may be that this tool (or any tool) is only suitable for use with messages of
this length (approximately Twitter-length). Clearly, there is a need for tools which can
perform linguistic profiling on short texts, and there is currently some work in this area
which shows promising results (Layton et al., 2010).
IV. Discussion
In this paper, we have presented a preliminary methodology for automatic analysis of
credential trading systems, with a view to identifying the major types of activity present
The credential
marketplace
41
Table IX.
Language identification
analysis
99
JMLC
14,1
42
in the data, as well as investigating how the data could be used to identify business
process elements, including geographic profiling of actors (such as traders and sellers).
By using term frequency analysis, we were able to extract highly frequent terms from an
IRC credential trading corpus, and use these terms as seeds for collocation analysis
using n-grams. We identified five key term categories from the subset of the 100 most
frequent terms (bank/payment provider names, supported trading actions, non-cash
commodities for trading, targeted countries and times), and demonstrated how actors
and processes could be extracted to identify common business processes in credential
trading. In turn, these elements could potentially be used to track the specific
trading activities of individuals or groups. The hope in the long term is that we may be
able to cross-reference named entities in the credential trading world (or a pattern of
activity) and cross-reference this with known credential theft attacks, such as phishing.
Indeed, we have had some success in manually identifying highly discriminating
features from phishing e-mails, such as time periods and timezones, which could
enhance criminal profiling (McCombie et al., 2008). However, these techniques rely on
manual feature extraction; we must be able to automate such processes to make them
effective.
Following from the term-frequency analysis, we also investigated automated
language identification of IRC credential trading messages. In this analysis, we
identified a major issue for automating the process – the accuracy of language
identification in messages of short length. This will continue to be a significant barrier to
the automation of profiling messages of this nature; however, it may be possible to build
more accurate language classifiers using a Bayesian approach, where the prior
probabilities of languages being present can be estimated. For example, in the logs we
have manually analysed, we have only ever found English and Romanian messages, so a
classifier could be seeded with the expectation that mostly English and Romanian text
will be seen (and not Yapese or Somali).
References
Arquilla, J. and Ronfeldt, D. (Eds) (2001), Networks and Netwars: The Future of Terror, Crime,
and Militancy, RAND, Santa Monica, CA.
Aston, M., McCombie, S., Reardon, B. and Watters, P.A. (2009), “A preliminary profiling of
internet money mules: an Australian perspective. uic-atc”, Symposia and Workshops on
Ubiquitous, Autonomic and Trusted Computing, Brisbane, Australia, pp. 482-7.
Bechar-Israeli, H. (1995), “From , Bonehead . to , cLoNehEAd . : nicknames, play and
identity on internet relay chat”, Journal of Computer-Mediated Communication, Vol. 1
No. 2, available at: www.usc.edu/dept/annenberg/vol1/issue2/bechar.html
Eftekhari, A. (2006), “Fractal geometry of texts”, Journal of Quantitative Linguistics, Vol. 13
Nos 2/3, pp. 177-93.
Ho, W.H. and Watters, P.A. (2004), “Statistical and structural approaches to filtering internet
pornography”, Proceedings of the IEEE Conference on SMC, Hague, pp. 4792-8.
Layton, R., Watters, P. and Dazeley, R. (2010), “Authorship attribution for Twitter in
140 characters or less”, Proceedings of the 2nd Cybercrime and Trustworthy Computing
Workshop, pp. 1-8.
McCombie, S. and Pieprzyk, J. (2010), “Winning the phishing war: a strategy for Australia”,
Proceedings of the 2nd Cybercrime and Trustworthy Computing Workshop, pp. 76-86.
100
McCombie, S., Pieprzyk, J. and Watters, P.A. (2009), “Cybercrime attribution: an eastern European
case study”, Proceedings of the 7th Australian Digital Forensics Conference, WA.
McCombie, S., Watters, P.A., Ng, A. and Watson, B. (2008), “Forensic characteristics of phishing –
petty theft or organized crime?”, Proceedings of WEBIST, pp. 149-57.
Spärck Jones, K. (1972), “A statistical interpretation of term specificity and its application in
retrieval”, Journal of Documentation, Vol. 28 No. 1, pp. 11-21.
Stabek, A., Brown, S. and Watters, P.A. (2009), “The case for a consistent cybercrime
classification framework”, Proceedings of the 2009 Symposia and Workshops on
Ubiquitous, Autonomic and Trusted Computing, Brisbane, pp. 523-30.
Sullivan, J. and Bunker, R. (2002), “Drug cartels, street gangs and warlords”, Small Wars &
Insurgencies, Vol. 13 No. 2, pp. 40-53.
To purchase reprints of this article please e-mail: [email protected]
Or visit our web site for further details: www.emeraldinsight.com/reprints
The credential
marketplace
43
101
Figure 5.1: Grouping Features in Phishing Email Header including +0300 and Windows-1251
Chapter Five
Forensic Analysis of Phishing Artefacts for
Features of Eastern Europe
102
CHAPTER FIVE: FORENSIC ANALYSIS OF PHISHING ARTEFACTS FOR FEATURES
OF EASTERN EUROPE
5.1
Introduction
The previous chapter examined the cybercrime market which supports phishing and related
cybercrime by providing a market for the tools and proceeds of cybercrime. This chapter analyses
phishing emails and other phishing artefacts in an effort to group them and also identify any
ethnographic features which support the view that phishing and related cybercrime against Australia
is primarily an Eastern European phenomenon.
Initial research in 2006 and 2007 focused on seeing if empirical data collected on phishing attacks
supported the view that they primarily came from Eastern Europe. The first step, however, was to
see if there was any correlation between attacks at this level or whether they appeared to be all
discrete attackers. For that research an archive of attacks against one Australian financial institution
(which wishes to remain anonymous) was obtained, which detailed every known Phishing attack
against that organisation during July 2006.
As this chapter describes, ultimately that collation and analysis, supplemented by subsequent
research, identified particular grouping features commonly-used and other strong indicators in
confirmation that the majority of those attacks had in fact originated in Eastern Europe. The most
revealing features in this sense were the Windows Character Set-1251 and the +0200, +0300 and
+0400 time zones.
5.2
Methodology
The initial research focused on incidents targeting one financial institution in Australia in July 2006.
That data was gathered by the bank’s response team, the Internet banking support team, from
customers’ reports, reports from other banks and from law enforcement. While it can not be
claimed every attack against the institution during that month was included, it is reasonable to
assume the great majority were captured by one of these methods. Apart from reports from directly
affected customers and other email users, the response team monitored a number of other sources
of information on potential attacks. These included the email gateway for undeliverable messages
from phishing emails sent to non-existent addresses, e-mail to all of the institution’s domains and
from e-mail accounts subscribed to spam lists with various webmail providers specifically for the
purpose of monitoring phishing. Data collected included multiple copies of the phishing e-mails
including the full header information, details of the phishing site (including the html of the pages in
many cases) and the date and time and source of detection. A total of 71 incidents, occurring
between 1 July 2006 and 31 July 2006, were examined. An incident was defined when a unique
phishing URL was used. Thus each Phishing URL, whether used twice or subsequent times, was
considered a single incident. While attacks observed after July 2006 sometimes used multiple URLs,
at this time that was not the practise and each attack was relatively discrete from an attacker and
victim viewpoint. The archival research, examining closely the incidents of one month for one
institution, effectively provided a more accurate picture of the scope of attacks than would have any
103
attempt to cover the attacks on all institutions over the same or a longer period which, practically,
could only hope to examine no more than a small percentage of the total.
5.3
Phishing Artefacts Useful in Grouping
When planning the research exercise, items such as the e-mail source IP and specific content
features of the phishing sites were envisaged as key to grouping. However, they ended up being
largely irrelevant or of limited significance in the process. The X-Mailer type in the email header,
which is designed to designate the email client software used to create the email type, was
particularly important. Ironically, with Group 3 the X-Mailer type was obviously faked, which can
often be the case with spamming programs such as Sendsafe (McCombie 2009), however, they used
a non-existent designation for the type of email client. Thus this invalid X-Mailer became a signature
of that group. Examples of features used to group the e-mails seen in July 2006 are shown in Figure
5.2 below. Even valid but rare X-Mailer types seen repeatedly were useful for grouping. Another
useful feature was common misspelling or typographical errors, tending to indicate that English was
not the first language of their authors. Another key grouping value was the URL itself, which often
used the same file name and directory path. This was despite the Phishing sites being located on
completely different servers and domains, e.g. http://randomserver.randomdomain/secure/index.php,
being a feature of Group 4.
The common attributes of the three major groupings, groups one, three and four, which accounted
for 61 of 71 incidents, are described in the below tables. For more detail, see section 5.7.
104
Figure 5.2: E-mail from Group 3 with grouping attributes highlighted
105
Figure 5.3: E-mail from Group 1 with grouping attributes highlighted
106
Base 64 Encoded
Subject
ContentType
Regular
verification of
text/plain
Internet Banking
Account
X-Mailer Type:
Body
Time
Zone
Common
Typo Error
Frequency
Microsoft Outlook
Express
V6.00.2900.2180
+0300
bellow
30/71
Common URL
Structure
ContentType
Common Typo Error
Character Code
Frequency
/somebank.com.
au
text/html
We have asked few
additional information
Windows-1251
13/71
Common Sender
Subject
SomeBank
Online Access
<access@someba Agreement
nk.com.au>
Update
5.4
Common URL
Structure
ContentType
Sending
MTA
Type
Frequency
/secure/index.php
text/html
Exim
18/71
Ethnographic Features
5.4.1 Windows Character Set
Amongst the values already discussed is the character set Windows-1251 which is significant from an
ethnographic perspective. Windows-1251 was developed for the Russian version of Windows 95 by
Microsoft (Microsoft 2000) to deal with the Cyrillic alphabet, used in a number of Eastern European
countries including Russia and the Ukraine (See Figure 5.5). While it was a value not seen in any
great quantity in the July 2006 attacks, it was feature of Group 3. In addition, where any character
value did appear, it was in the majority of cases Windows-1251. A different Phishing e-mail corpus
made available by Jose Nazario of Phishing incidents from November 2005 to August 2007 was
examined to see if this value was present. In particular, examination occurred of what is described
by Nazario as “Phishing Corpus 2”, which contains 1423 phishing email messages from November 15,
2005 until 7 August, 2006 and “Phishing Corpus 3”, which contains 2279 phishing email messages
from 7 August 2006 to 7 August 2007 (Nazario 2008). As can be seen in Figure 5.4, character set
Windows-1251 accounts for the significant majority in both Phishing Corpus 2 and 3, accounting for
693 of the 904 phishing emails with any Windows character value in “Phishing Corpus 3” and for 376
of the 402 phishing emails with any Windows character value in “Phishing Corpus 2”. It should be
noted, however, the Nazario corpus was gathered within the United States and made no effort to
focus specifically on Australian banks, although they are included.
107
Figure 5.4: Windows Character sets from Nazario Phishing corpus 2 & 3
Figure 5.5: Windows Character Set 1251 (Microsoft 2010)
A re-examination of the phishing artefacts from the first incidents in 2003 also showed this feature.
Figures 5.6 and 5.7 illustrate examples of the character set Windows-1251 being used in an email in
those first attacks on Internet Banks. The two emails are from the phishing attack on the Bank of
America which occurred on 12 May 2003 and the attack on Westpac on 4 July 2003.
108
Figure 5.6: Header from Phishing email on Bank of America 14 May 2003 (McCombie 2008)
Figure 5.7 Header from Phishing email on Westpac 4 July 2003 (McCombie 2008)
5.4.2 Time Zone
When sending emails, an email client programs often place the time zone at the end of the “Date:”
field, i.e. “Date: Wed, 27 Apr 2011 10:05:57 +1000”. While this does not happen in every case, when
it does, the time zone set by the originating system can be instructive. Of course, as with many other
email features this can be faked but, on the other hand, it is also not obvious to the sender. Figure
5.8 shows the world time zones. Of particular interest are the times used in Eastern Europe and
western Russia. They are +0200 (Eastern European Time), +0300 (Eastern European Summer Time,
Moscow Standard Time) and +0400 (Moscow Daylight Time).
In the examination of the time zones in the July 2006 Phishing incidents, “+0300” was present in 32
incidents, “+0200” in 4 incidents and “+0400” in 4 incidents. The three values accounted for 40 of 62
incidents where a time zone was present. As that was during the period when summer time was
invoked, the time zone +0300 was applicable for Eastern Europe and +0400 for western Russia.
109
Figure 5.8: Time zones of the World (http://www.lib.utexas.edu/maps/world_maps/time_zones_ref_2005.pdf)
The +0300 time zone was also present in the first phishing attack in 2003 on the Commonwealth
Bank of Australia. An extract of an email used in the first Internet bank attack on Commonwealth
Bank on 17 March 2003 is in figure X. Being March, when summer time is not effective, the
expected time zone would be +0200 for Eastern Europe and +0300 for western Russia.
Figure 5.9: Selection from Phishing email for Commonwealth Bank 17 March 2003 showing +0300 time zone.
5.5
Temporal Analysis of Attacks
For the July 2003 data the time of day that the 63 attacks occurred, where the time was available,
was examined (see figure 5.10 below). This was based on the receiving time of the SMTP server to
which they were sent, as recorded in the e-mail header, which is relatively reliable. In the time from
midnight to 9.37am Australian Eastern Standard Time (AEST) there were 45 incidents and from
6.37pm to midnight AEST, a 12 further incidents. However from 9.37am to 6.37pm AEST (covering
AEST normal business time, only six incidents occurred, (three within 17 minutes). If we convert to
Eastern European Summer Time (EEST) this means the less active period was between 2.37am (EEST)
to 11.37am (EEST). The logical conclusion is obvious. Most of the attacks on Australians took place
during normal waking hours and the least during normal sleeping times on the opposite side of the
world, in Eastern Europe.
110
Figure 5.10: Timing of 63 Attacks in July 2006 by AEST where available
5.6
Conclusion
The various features found in emails from the July 2006 incidents, the first Internet Bank Phishing
attacks in 2003 and the Phishing corpus from Jose Nazario, illustrate empirically that the Phishing
attacks have a strong nexus to Eastern Europe. Obviously, the techniques used for this analysis can
be equally employed more broadly, affording equally informative intelligence in the pursuit of
attribution of transnational cyber attacks. In the final chapter a phishing attack model of these
groups is presented, a broader theory of cybercrime operations based on this work is proposed and
options capable of being deployed to disrupt the phishing attack model are identified. And,
importantly, the greatest weakness in the Phishing attack model is identified and it is argued a focus
on this weakness is proffered to be more beneficial in countering this problem than the current
reliance on technical controls.
5.7
References
McCombie, S., Watters, P. , Watson, B. & Ng, A. (2008). “Forensic Characteristics of Phishing - Petty
Theft or Organized Crime?” Fourth International Conference on Web Information Systems and
Technologies. Funchal, Madeira, Portugal. 1: pp 149-157.
111
FORENSIC CHARACTERISTICS OF PHISHING
Petty Theft or Organized Crime?
Stephen McCombie, Paul Watters, Alex Ng and Brett Watson
Cybercrime Research Lab, Macquarie University, NSW 2109, Australia
{mccombie, alexng, brett}@ics.mq.edu.au, [email protected]
Keywords:
Phishing, Attack Grouping, Organized Crime, Computer Crime, eCrime Forensics.
Abstract:
Phishing, as a means of pilfering private consumer information by deception, has become a major security
concern for financial institutions and their customers. Gartner estimated losses in 2006 to phishing in the US
were approximately USD$2.8 Billion. Little has been published on the forensic characteristics exhibited in
phishing e-mail. We hypothesize that shared features of phishing e-mails can be used as the basis for
grouping perpetrators using at least a common modus operandi, and at most, a level of criminal organization
– i.e., we suggest that phishing activities are carried out by a small number of highly specialized phishing
gangs, rather than a large number of random and unrelated individuals using similar techniques. Analysis of
repeated phishing e-mails samples at a major Australian financial institution – using a criminal intelligence
methodology - revealed that 6 groups, from a sample of 500,000 spam e-mails, could be uniquely classified
by constructing simple decision rules based on observed feature sets, and that 3 groups were responsible for
86% of all incidents. These results suggest that – at least for the institution concerned – there appears to be a
level of criminal organization in phishing attacks.
1
INTRODUCTION
The hacking scene has, with the rise of phishing,
been transformed in recent years from a culture
based largely on youthful exploration, to one
focused on criminal profit (Stamp et al,2007).
APACS, the UK payments association, reported UK
online banking fraud was GBP£33.5 million in 2006
(APACS, 2007). In January 2006, the Bulgarian
National Services to Combat Organized Crime
(NSCOC) agency arrested an organized ring of eight
individuals who allegedly operated an international
“phishing” operation (Technology News Daily,
2006). Considerable anecdotal evidence exists to
suggest that other transnational organized crime
groups are involved in phishing activities (Naraine,
2006).
To date, there has been little research into the
individuals and groups behind phishing, how they
are organized, and what methods they use. To
effectively combat organized (rather than petty)
criminals, a greater understanding of the means,
motives and opportunities is required. Of course,
phishing may not be a major concern for organized
crime, and even if there were specific criminal
“signatures” that indicated a level of organization,
these may simply reflect a common modus operandi,
as much as the sharing of intelligence and
coordination of activities.
The goal of this paper is to present a first
attempt at a new criminal intelligence methodology
that aims to answer the question of how organized
phishing groups are, in terms of modus operandi and
coordination of attacks. To this end, we have
investigated phishing attacks at a major Australian
financial institution for two time periods (July and
October 2006). The aim was not do a “breadth first”
search of all targets of phishing, but to examine the
characteristics of attacks against a specific target.
The results presented below present a level of
support for our hypothesis that there is a high level
of organization in phishing attacks – at least for the
institution concerned – but further will be needed to
see if the results are generalizable to financial
institutions as a group, and to other organizations at
large.
The first data set used in this study comprised a
subset of identified phishing e-mails from a monthly
“spam collection” in excess of 500,000 messages in
July 2006. 71 unique phishing incidents were then
149
112
WEBIST 2008 - International Conference on Web Information Systems and Technologies
identified. By examining these incidents using the
method described below, we attempted to determine
the level of organization for each attack, by
examining their timing, and the relationship between
each other. The method was then repeated for the
October 2006 sample.
2
RELATED WORK
The majority of existing research phishing has
focused on areas such as studying user response to
phishing e-mails (Dhamija et al, 2006)((Jagatic et al
2005), tools to model phishing attacks (Jakobsson
2005), and e-mail content filtering defense
mechanisms against phishing activities such as the
Barracuda Spam Firewall, Microsoft Phishing Filter
and Symantec Brightmail Anti-Spam software. Abad
(2005) studied the economy of phishing networks by
analyzing e-mails and instant messages collected
from key phishing-related chat rooms. However, his
work did not look into the forensic information of
those phishing e-mails.
In regard to the research in analyzing the
content of phishing e-mails for detection and
classification purposes, both Chandrasekaran et al.
(2005) and Fette et al. (2000) have focused on
determining whether an e-mail is a phishing attempt
or not. Ramzan and Wừest (2007) have focused on
the trends seen in phishing attacks throughout 2006.
The closest work to this research is reported by
James (2005) that 48 distinct phishing groups were
identified by analyzing the nature of the phishing emails and the phishing websites.
The analysis framework, as it stands, relies
primarily on characterizing and determining the
frequency of certain features in the phishing e-mails
using a type of authorship analysis, to determine
forensic signatures.
3
METHODS
Casual observations to date have been that incidents
seem to be able to be grouped due to a large number
of common characteristics. One well publicized
group known as the “RockPhish” (McMillan, 2005)
is well known by responders because of their
distinctive style of attack. Thus, to answer our
research question regarding the level of organization
of phishing attacks, we have sought to make use of
these distinctive features in developing a criminal
150
intelligence methodology for phishing, based on
authorship analysis.
Research in the mining of e-mail content for
authorship analysis has a carried a long history since
the advent of e-mail in the 1990s (de Vel, 2005).
The application of authorship analysis is usually
focused on collecting authorship characteristics to be
used in the context of plagiarism detection.
However, authorship analysis can also be applied to
identify a set of characteristics that remain relatively
constant and unique to a particular author – in this
case, the hypothesized phishing gangs.
To minimize systematic error and bias in
making general observations across a range of
different target sites, we focused on understanding
the phishing attacks occurring at a major Australian
financial institution. Two sets of e-mail spam data,
of which phishing forms a subset, were analyzed
(from July and October 2006).
We initially applied the authorship analysis to
the July data set, with the intention of testing the
reliability from this sample to a later October
sample. We were interested here in both the
variation in techniques used as a function of time,
and whether discrete groups could still be identified.
In developing the criminal intelligence
methodology, we primarily followed James’ (2005)
work by investigating the following key items for
identification:
•
Bulk-mailing tool identification and
features.
• Mailing habits, including, but not limited
to, their specific patterns and schedules
• Types of systems used for sending the spam
(e-mail origination host)
• Types of systems used for hosting the
phishing server
• Layout of the hostile phishing server,
including the use of HTML, JavaScript,
PHP, and other scripts
• Naming convention of the URL used for
the phishing site
• IP address of the phishing site
• Assignment of phishing e-mail account
names
• Choice of words in the subject line
• The time-zone of the originating e-mail
Building on this approach for each incident,
where the data was available, the following features
were also examined:
113
FORENSIC CHARACTERISTICS OF PHISHING - Petty Theft or Organized Crime?
• The e-mail source including text used,
metadata and header information
in common across incidents were used to allocate an
incident to a group.
• The web pages and web hosts used
including directory structure and files
The grouping exercise identified six groups
comprising 69 of the 71 incidents. The 6 groups
were designated Group 1 to 6, and for the purposes
of illustration, some general descriptions of the
criteria that were used to select the groups are given
below:
• Any other characteristics which may have
identified a link between separate incidents
Based on feature similarity, the incidents were
assigned a group number for each identified
characteristic for the July dataset. Consideration was
given to other causes of similarity, such as
coincidental use of shared “phishing kits” (which
might be the phishing equivalent of a rootkit), and
spam-generating tools that may have produced
similar footprints. Sets of rules based on these
characteristics were used to produce a set of Perl
scripts to analyze the October dataset.
The data examined for each incident included
the full e-mail header and body. The content and
structure of the phishing site, WHOIS information
for each IP and domain used, details of web server
software, operating system and port banners for
other services running, were then obtained.
Gathering together all of the potentially relevant
information – from common DNS registrants to
spelling mistakes – allowed us to build up a highly
detailed case file for each incident, which in turn
provided a rich data source for unique classification
of each incident by a hypothesized criminal group.
4
RESULTS
The results below are presented with an ethical
preface, in that some details of the investigative
methodology have been simplified or omitted for the
purpose of not revealing the exact modus operandi
of the perpetrators. The goal here is to prevent
alerting of the groups concerned (who may then
change their techniques), and also to prevent other
groups from adopting these techniques. Thus, in
some cases, representative results that could be used
to group the incidents have been presented, rather
than compromising ongoing criminal investigations.
4.1
•
The presence of distinctive phrases
(especially spelling errors) in the message
text.
•
The presence of HTML hyperlinks in the
message text, with a URL matching a
specific pattern.
•
The DCC checksums of the message text
(indicative of identical text).
•
The presence of certain exact strings in
header fields (such as "From", "X-Mailer",
and "X-Priority").
•
The matching of a specific pattern in header
field values (such as the subject, messageID, and various e-mail address fields).
•
The structure of given header fields, where
more than one element was available for
use (such as "Received" and "To").
•
The overall MIME structure of the message
(such as "text/plain" and then "text/html"
enclosed in "multipart/related").
Figure 1 shows the relative composition of each
group, and indicates that two incident were unable to
be grouped using our methodology. Significantly, 61
of the 71 incidents were attributed to just three
groups 1, 3 and 4. Those three groups in percentage
terms accounted for an astonishing 86% of all
incidents.
Group 5,
3, 4%
Group 6,
2, 3%
Unclassified,
2, 3%
Group 1,
30, 43%
Group 4,
18, 25%
Grouping of Phishing Gangs
A number of attributes including structural features,
patterns of vocabulary usage, stylistic and substylistic features are common attributes being used
in authorship analysis, were used to define groups in
this study (de Vel et all, 2000). In all instances, at
least three otherwise unrelated elements being used
Group 3,
13, 18%
Group 2,
3, 4%
Figure 1: Distribution of Phishing Incidents among
Groups in July 2006.
151
114
4.2
Values that Enabled Grouping
Sub-groups within the spam corpus were identified
by selecting several distinctive features of the kind
described in Section 3. In this section we describe
some of those criteria in more detail, and our
quantitative findings.
4.2.1 Structure of Phishing Site
The URL structure was one of the elements used to
group the incidents. Initial grouping by e-mail
header data was often confirmed in phishing site
structure. It was initially thought that web elements
of each attack may have been more useful in
grouping. However, on reflection, many of the noncontent web site elements were dependant not on the
phishing groups themselves, but the victims whose
sites are compromised to host the phishing sites. We
considered the possibility that phishing kits which
consisted primarily of web content may be
responsible for some similarities in URL structure
and web content, but we would not expect to see
similarities in e-mail values as well, as a result of
using these kits. Based on the information available
from the July corpus, we investigated the contents of
86 phishing sites such as: details of the phishing
site’s URL, host IP address, domain registrant,
domain registrar, country, NINS, CIDR, operating
system, Web server type, the Web content and
Charset used, and so on.
Table 1: Commonly used words in the URLs of July 2006
phishing incidents.
Commonly Used Words
Occurrence
Percentage
Index
58
67%
victimbank
48
56%
(total 86 URIs)
victimbankib
41
48%
victimbankal
37
43%
victimbankib/index.htm*
36
42%
Php
24
28%
Secure
18
21%
Online
15
17%
Cgi
13
15%
agreement
12
14%
Login
9
10%
Table 1 summarizes some of the commonly
used words found in the URLs of phishing sites. In
152
this example, the legitimate URL of the target’s
website was victimbank.com. As expected, the word
“victimbank” (56%) had a high occurrence.
However, variations such as “victimbankib” (48%)
and “victimbankib/index.htm” (42%) were also
observed. The use of this particular pattern
“victimbankib” suggests a common nomenclature
originating from a specific group of phishers. To
substantiate this claim, we examined other details
such as IP address, OS, Web server type, etc.
collocated with the “victimbankib” pattern, and
found the following:
• A particular range of class C IP subnet
addresses range were frequently being used
(28%). The result from a whois-search
shows the IP range was managed by a
particular Regional Internet Registry (RIR)
in Europe.
• There are also many IP addresses used were
in the class A subnet range (34%).
China
2%
Germany
2%
Russia
4%
Canada
2%
others
5%
Korea
6%
MultipleSites
11%
USA
49%
GreatBritain
19%
Figure 2: Phishing sites by hosting country July 2006.
Figure 2 shows that the USA (47%) and Great
Britain (19%) were the top two most popular
countries hosting phishing sites for the July 2006
sample. This indicates that ISPs in the USA and the
UK are either more prone to hosting phishing attacks
due to insufficient defense against phishing
activities, or due to the vast numbers of ISPs
available in these two countries. Additionally, in
some 11% of cases, multiple sites were used. We
believe this indicates a trend towards the nextgeneration of botnet-style hosting for phishing sites,
which have been growing seen since this sample was
gathered.
Time of day is another possible fingerprint,
When we examined Tuesday 18 July 2006 in detail
(Table 8), 12 phishing incidents were observed,
starting at 4.01am and continuing to 8.59am, then
followed by a break of about ten hours, followed
115
again by three from 6.44pm to 7.39pm. This may be
deliberate targeting of the victim users when they
access their systems in the morning and first thing in
the evening, or may again indicate the working
schedule of the phishers themselves.
through the compromised PC to the correct phishing
Web page, depending on a special code specified in
the e-mail link. The methodology resembles that
used by the “RockPhish” group mentioned earlier.
4.2.2 E-mail Header Information
Linux, 3, 6%
Win32, 4, 8%
Microsoft CDO
for Exchange
2000,
2 ( 5%)
Microsoft
Outlook Express
5,
3 (7%)
Microsoft
Express 6.00,
7 (17%)
Unix, 46, 86%
Figure 3: Operating system used by the phishing sites July
2006.
Microsoft, 3,
5%
Others, 2, 3%
Apache, 61,
92%
Figure 4: Web server types used by the phishing sites July
2006.
In the October corpus, a new style of attacks
were identified for a particular phishing group not
seen in July. The group used a URL that spoofed
"victimbank.com" and had a hostname component of
"confirmationpage". They assigned each individual
phishing URL a subdomain that was tied to an
Internet address of a compromised computer under
the phisher’s control. When a victim clicked on a
link in the phishing e-mail, they would be routed
Invalid Value
30 (71%)
Figure 5: X-Mailer values used in the July 2006 phishing
incidents.
Our analysis showed that while values such as IP
address source were interesting, they did not prove
to be useful for classifying groups. However, some
less obvious features were unexpectedly more useful
for grouping. Two particular values associated with
a particular group, the X-Mailer and the Date field
time zone were observed only in phishing e-mails
and never in any valid e-mail in the sample data
(which included more than 500,000 spam messages).
Figure 5 shows that Microsoft Outlook Express
version 5 and 6 were the most widely used X-Mailer
platform in the July phishing incidents. This result
was confirmed in the October corpus, as shown in
Table 2. One abnormality observed in the July
corpus was the frequent occurrence of an invalid
value (71%). 7,291 messages in the October corpus
with this particular value and 3,680 of those
messages targeting other victim organizations and
were associated with other illegal activities, such as
job scams.
Thus, the X-Mailer value appeared to be the main
fingerprint of the spam tool used by this particular
group. Google searches using the X-Mailer values
were subsequently used to identify other phishing
messages posted to the web and newsgroups. As
these values are still in use by phishing groups
today, we are precluded from providing further
details.
153
116
Table 2: X-Mailer values in the October 2006 corpus.
X-Mailer
Microsoft Outlook
Express
Microsoft Office
Outlook
Internet Mail
Service
MIME-tools 5.503
(Entity 5.501)
SquirrelMail/1.4.3a
Calypso Version
3.30.00.00
Frequency
Percentage
210,958
27.36%
58,339
7.57%
Base64
string
8,885
1.15%
4,102
2,971
0.53%
0.39%
2,181
0.28%
4.2.3 E-mail Subject, Sender and other Text
Values
Table 3: Some commonly used Sender Address.
Commonly used
Sender address
Table 4: Commonly used words in the subject line in the
July 2006 phishing incidents.
Frequency
Percentage
victimbank
53
75%
access@
14
20%
Support@
12
17%
Security@
8
11%
Account@
4
6%
internet@
2
3%
Other e-mails values examined and used for
grouping were the subject and sender values. While
many phishing e-mails spoof the victim institution,
some do use other e-mail addresses. As shown in
Table 3, when spoofing the organization’s e-mail
domain, there were many choices of username to
spoof
from the
victim
institution
e.g..
[email protected], [email protected],
[email protected],
or
[email protected]. While all these values are
subject to copycatting, they can be used in
conjunction with other more highly discriminating
values to facilitate grouping.
Table 4 shows the result of our analysis in the
Subject line from the July corpus. A majority of the
phishing e-mail subject lines used a Base-64
encoded character string (41%). This indicates a
program-generated subject line.
Commonly used word
in the subject line
Frequency
Percentage
29
41%
Update
21
30%
Access
15
21%
Agreement
15
21%
Account
13
18%
Victim Bank
11
15%
Security
11
15%
Internet
7
10%
encoded
Another commonly used word is “update”
(30%) as contained in the subject: “Security Update
Request” and “Agreement Update”. The third most
commonly used word is “access” (21%), as
contained in the subject: “Online Access Agreement
Update”. The other commonly chosen words were
“Account” (18%), “victim-bank Internet banking
security message” (15%). 220,494 distinct subject
line values out of the total 770,998 e-mails were
found in the October 2006 corpus. 43% of the total
corpus contains a delivery failure notification in the
subject line. The October 2006 corpus also
confirmed that phishing Group 1 was active in
launching the attack with 3,611 messages (0.5% of
the corpus) were identified targeting this particular
financial organization.
Table 5: Job offer scam launched by Group 1 in the
October 2006 corpus.
Subject
# of
Instances
Job offer from BestTrade Group
Job offer from SelfTrade Group
Job offer U.F.I.S. PE
Job offer from BidsTrade Group
Job offer from BidsLoan Group
Job offer from UnelTrade Group
108
101
96
59
44
35
Job offer from SelfPower Group
Job offer from MetaBrand Group
Job offer from XepsTrade Group
28
14
3
Interestingly, by using the signatures left by
Group 1 in their phishing messages, another 3,280
154
117
messages were identified targeting other financial
organizations including CitiBank, PayPal and Bank
of America. It is logical to expect that money mule
job scams of a kind have been perpetrated in
conjunction with phishing attacks, again indicating a
high level of organization through diversified
criminal activity. This was confirmed with another
488 messages that started with "Job offer" in the
message subject (Table 5). Moreover, we have also
identified 238 ‘Nigerian 419 scam’ messages having
the same signatures that belong to Group 1. These
results indicate that phishing attacks are related to
other crimes committed using e-mail. We also found
6,523 (0.9%) messages contained the subject line:
“victim Bank official message”. This matched one
of the key characteristics of the Group 6 phishers,
although the subject lines found in the October
corpus differed slightly with those found in the July
corpus. Further investigation confirmed that these emails were originated from the same group. Other
characteristics that confirm our grouping for this
particular Group 6 are:
•
The e-mail structure is text/html;
•
The DCC Fuz2 value for the e-mail content
is equal to a particular value;
•
The From field contains the common plain
text “victimbank security”; and
•
The Sender field contains a particular user
value.
4.2.4 DCC Fuz2 Checksum
The Distributed Checksum Clearinghouse (DCC) is
an anti-spam content filter (http://www.dccservers.net/dcc/) used by SMTP servers and mail
user agents to detect spam messages. We applied
DCC Fuz2 checksum on all messages in the October
corpus and identified 560,801 distinct values. Some
of the most frequent messages are listed in table 6.
We found that both Group 1 and Group 2 phishing
gangs were active in October 2006. Group 2 had
launched separate attacks against this organization
and another victim bank.
Table 6: Most frequent messages identified by DCC Fuz2
checksum in the October 2006 corpus.
Most frequent messages in
October corpus
Group 1 messages targeting
this victim bank
the victim bank
"Replica" Spam messages
another victim bank
ED Spam
Frequency
3611
2842
1657
1626
1395
4.2.5 Spelling and other Typographic Errors
Another interesting aspect of many phishing e-mails
is their grammar and spelling. A standard feature of
many early phishing e-mails were their very poor
grammar and spelling. Common errors include
“statment”, “acount”, “fullfil” and “automaticly”.
Many of these errors have now disappeared, but they
are still a useful value to identify groups. In addition
to clear spelling, grammatical errors and other
typographic errors, unusual terminology is another
useful grouping value. An example of this is a
reference found in one group’s e-mails to a fictional
entity the “National Anti-fraud Organisation of
Australia” (Group 4). We found that a specific
typographical error occurred in many phishing
messages e-mails that could not be identified by a
spellchecker. This is a strong indicator for the
grouping of phishing messages to a particular group.
Using that particular word to search in Google found
that this particular word appeared in e-mails related
to other activities such as the Nigerian 419 Scam and
the eBay (VOLUME 2 of 3 Share) scam.
4.3
Phishing Incidents by Date and by
Group
Table 7 shows that phishing incidents seemed to
occur at the midweek dates (Tuesday, Wednesday
and Thursday), and the peak value occurred at a
Tuesday (12 incidents). Most of the weekly peakincidents occurred on Thursdays. From Table 7 and
Figure 6 we observed that some groups concentrated
their attacks over shorter periods. For example, of
Group 1’s 30 attacks, 29 occurred over two weeks in
a period of five days, followed by a period of four
days in the following week. In contrast, Group 3’s
13 attacks occurred over nearly the whole month on
11 different days.
155
118
Table 7: Numbers of phishing incidents by day from
Saturday 1 July 2006 to Monday 31 July 2006 categorized
by identified groups.
DATE
1-Jul-06
2-Jul-06
3-Jul-06
4-Jul-06
5-Jul-06
6-Jul-06
7-Jul-06
8-Jul-06
9-Jul-06
10-Jul-06
11-Jul-06
12-Jul-06
13-Jul-06
14-Jul-06
15-Jul-06
16-Jul-06
17-Jul-06
18-Jul-06
19-Jul-06
20-Jul-06
21-Jul-06
22-Jul-06
23-Jul-06
24-Jul-06
25-Jul-06
26-Jul-06
27-Jul-06
28-Jul-06
29-Jul-06
30-Jul-06
31-Jul-06
DAY
1
Saturday
Sunday
Monday
Tuesday
Wednesday
1
Thursday
Friday
Saturday
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
4
Sunday
4
Monday
6
Tuesday
2
Wednesday
1
Thursday
Friday
Saturday
Sunday
3
Monday
2
Tuesday
4
Wednesday
3
Thursday
Friday
Saturday
Sunday
Monday
Group Totals 30
2 3 4 5 6 UNCLASSIFIED DATE TOTALS
0
0
0
1
1
1 1 1
3
2 1
4
1
1
0
0
1 1 1
1
4
1
1
2
2
1 1 1 1
4
0
0
1 3
8
4
8
1 2 3
12
2
1
0
0
0
1
4
2
4
1
4
0
1 2
3
1
1
1
1
2
3 13 18 3 2
2
71
Another interesting aspect is the virtual
weekend enjoyed by the phishers. While there are
attacks on Saturdays and Sundays, there appears to
be a break between weeks for most attacks because
of the 11 incident free days for the month, they all
fall in the Friday to Monday period. This indicates
an organized work schedule, confirming the result
obtained by Ramzan and Wừest (2007).
Figure 6: Numbers of phishing incidents by day from
Saturday 1 July 2006 to Monday 31 July 2006 categorized
by identified groups.
156
Table 8: Phishing incidents on 18 July 2006 by header
received time (converted to AEST), date and phishing
group.
TIME
4:01:01
4:35:04
6:03:03
6:43:27
7:09:24
7:49:56
8:06:37
8:32:51
8:59:10
18:44:45
19:25:13
19:39:39
5
DATE
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
18-Jul-06
GROUP
1
1
1
1
4
4
3
2
4
3
1
1
CONCLUSIONS
In this paper, we have shown how a criminal
investigation methodology based on authorship
analysis and fingerprinting can be used to classify
phishing e-mails into a small number of discrete
groups. While most spam e-mails do not aim to
misrepresent their identity, this is the goal for
phishing e-mails.
To summarize, some 6 distinct groups were
responsible for the overwhelming majority of attacks
identified in both sets of data. 86% of all attacks
originated from of these groups. In many cases, the
distinguishing features of phishing e-mails were
found in other e-mail crimes such as money
laundering and 419 scams. This indicates that
phishing groups are diversified criminal enterprises,
each using their own distinctive modus operandi to
commit crimes across a wide spectrum. Other
indicators of organized work activity included taking
breaks at weekends, and launching attacking during
daytime hours from the geographical source regions.
On the technical side, the use of multiple servers to
provide fail-over during attacks indicates a growing
trend for a sophisticated distributed computing
119
capability on the same level as legitimate
organizations. As discussed in the introduction, only
data from a single target in the financial services
area was used to develop the investigation
methodology. However, anecdotal evidence suggests
that most banks and financial institutions are
experiencing qualitatively similar attacks. Our first
task in generalizing our findings will be to replicate
the results across data sets from other institutions. Of
course, practical difficulties exist in obtaining this
data from organizations that keep their operational
security issues secret.
A second major challenge is to validate the
findings across further time periods, and get a sense
of the variation in both group composition and
features used. One can anticipate a high-level of
turnover in the features used, however, if they are
not revealed in the public arena and/or incorporated
into anti-spam signature databases, then our
experience is that the values are not altered.
We are also investigating methods that enable
automated profiling of phishing attacks by groups in
real time and be built in to commercial tools for law
enforcement based on classification techniques from
natural language processing (Watters,2002). We
intend to extend the approach by utilizing
hierarchical clustering to identify more complex
patterns of heredity among the different techniques
being used by each group.
ACKNOWLEDGEMENTS
This work was funded by a major Australian
financial institution that wishes to remain
anonymous for operational security reasons.
Conference on Knowledge Discovery and Data
Mining (KDD'2000). 2000
de-Vel, O., Anderson, A., Corney, M., et al., Mining Email Content for Author Identification Forensics.
SIGMOD: Special Section on Data Mining for
Intrusion Dection and Threat ANalysis, 2001
Dhamija, R., Tygar, J.D., and Hearst, M. Why Phishing
Works. In Proceedings of the CHI 2006. Montréal,
Québec, Canada, 2006
Fette, I., Sadeh, N., and Tomasic, A. Learning to Detect
Phishing E-mails. In Proceedings of the 16th
international conference on World Wide Web (WWW
2007).p.649 - 656:ACM Press, 2007
Jagatic, T., Johnson, N., Jakobsson, M., et al., Social
Phishing, School of Informatics Indiana University, 12
December, 2005
Jakobsson, M., Modeling and Preventing Phishing
Attacks, School of Informatics Indiana University at
Bloomington, 27 October, 2005
James, L., Phishing Exposed. Rockland MA: Syngress
Publishing, 2005
McMillan, R. 'Rock Phish' blamed for surge in phishing,
(on-line)
http://www.infoworld.com
/article/06/12/12/HNrockphish_1.html
Naraine, R. Return of the Web Mob, April 10, 2006 (online)
http://www.eweek.com/article2/0,1895,1947561,00.as
p
Ramzan, Z. and Wüest, C. Phishing Attacks: Analyzing
Trends in 2006. In Proceedings of the Fourth
Conference on E-mail and Anti-Spam (CEAS 2007).
2007
Stamp, P., Penn, J., Adrian, M., et al., Increasing
Organized Crime Involvement Means More Targeted
Attacks, Forrester Research, October 12, 2005
Watters, P.A., Discriminating English word senses using
cluster analysis. Journal of Quantitative Linguistics.
9(1): 77-86,2002
REFERENCES
Alleged Phishing and Organized Crime Group Arrests.
Technology News Daily 2006.
Card fraud losses continue to fall 14 March 2007 (on-line)
http://www.apacs.org.uk/media_centre/press/07_14_0
3fraud.html
Abad, C., The Economy of Phishing: A Survey of the
Operations of the Phishing Market, 2005.
Chandrasekaran, M., Narayanan, K., and Upadhyaya, S.
Phishing E-mail Detection Based on Structural
Properties. In Proceedings of the NYS Cyber Security
Conference. 2006
[de-Vel, O. Mining E-mail Authorship In Proceedings of
the Workshop on Text Mining, ACM International
157
120
Figure 6.1: “We are automating the payment system” Russia cyber gang promotional material (VeriSign 2007)
Chapter 6
SYNTHESIS: WINNING THE WAR ON PHISHING
121
CHAPTER SIX: SYNTHESIS: WINNING THE WAR ON PHISHING
6.1
Introduction
The previous chapter examined phishing emails and other phishing artefacts in an effort to group
them and identified ethnographic features, which support the view that phishing and related
cybercrime against Australia is primarily an Eastern European phenomenon. In this final chapter a
theory to explain EECGs operations is developed. This theory will assist in understanding and
addressing future threats from not only other groups or organisations involved in cybercrime but
also in other facets of cyber threats such as cyber espionage and information warfare.
The chapter also examines the weaknesses that allow phishing to flourish. It also examines the
weaknesses in the Phishing attack model and through that examination a number of options capable
of being deployed to disrupt the phishing attack model are identified. In particular it is observed that
the role of money transfer agents such as Western Union and MoneyGram deserve closer attention
of law enforcement and regulators.
6.2
The Limitation of Technical Solutions: The Latest Zeus Example (Zitmo)
As observed in Section 6.10, there is a limitation in the current and potential technical solutions to
Phishing. Essentially, any information that can be socially engineered from the user will be. At the
same time the solution needs to have a level of useability; otherwise it is impractical for the average
bank customer. Since 2003, Australian banks have responded to Internet banking phishing by
looking at more robust authentication systems than simple username and password. A recent
example of an attack is related here that not only demonstrates the limitation of technical solutions
to Phishing but the sophistication of the Phishing attacks being developed by EECGs. One of the
most widely used and seemingly secure two-factor authentication methods used by Australian banks
is employing a separate mobile phone to communicate a one-off transaction code via Secure
Messaging Service (SMS). This message often includes details of the requested transaction to
combat where the computer being used is compromised and is misrepresenting the nature of the
transaction being authorised. The security of this method is based on the assumption that, to defeat
both devices (the computer and mobile phone), both need to have been compromised, something
that would seem so difficult to be largely impractical. In late 2010 an ingenuous attack was
developed as part of the Zeus Internet banking Trojan family. Already capable of “man in the
middle” and “man in the browser” attacks it has graduated to a “man in the mobile attack”. The
variant is known as Zitmo (Zeus in the mobile) and it works by the following steps. The attacker
compromises the user’s PC (perhaps using a web browser vulnerability). Malware is then loaded
that injects a frame into the next Internet banking session of the victim asking for phone type and
number used for SMS authentication (See figure 6.2) and key logs the victim’s username and
password. Using the information entered into the injected frame by the victim the attacker infects
the victim’s mobile device by SMSing a link to a web-based file which when downloaded
compromises the phone (See Figure 6.3). With both devices now compromised, the attacker logs in
with the stolen credentials using the user's computer as a proxy and performs a specific operation
that needs SMS authentication. The SMS is sent to the victim's mobile device with the
authentication code. The malicious software running in the mobile phone forwards the SMS to
another mobile phone controlled by the attacker without the knowledge of the victim. The attacker
then uses the authentication code and completes the transaction successfully (Baroso 2010).
122
Figure 6.2: Zeus html frame inserted into Internet banking session to identify type of phone and phone number (Spanish
Version)(Baroso 2010).
Figure 6.3: Zeus SMS with Web-link to Nokia Phone compromise code (Spanish Version) (Baroso 2010).
This is a more efficient method than it may seem at first. Only users who have accounts with the
particular banks targeted will see the inserted frame asking for the additional details. Only those
who enter their phone details and have a phone type which can be compromised will be sent an
SMS to compromise their phone. Once the steps are complete the attackers can complete
transactions without alerting the victim. In fact the victim will only become aware of fraudulent
transactions when checking their balances and even that could be altered by determined attackers if
the system it is being checked on is compromised. This is an excellent example of how a well
resourced adversary such as EECGs can respond to seemingly secure counter-measures. While
technical solutions definitely have their place, in the end we need to put more focus on weaknesses
of the Phishing attack model, the money laundering elements and in particular the role of money
transfer agents such as Western Union and MoneyGram deserve closer attention by law
enforcement and regulators (see Section 6.10 for detailed discussion).
123
6.3
A Theory of Cybercrime Operations
Given the observations of the activities of EECGs impacting Australia, one can formulate a theory of
cybercrime operations. Because their operations are focused overseas, EECGs operate within safe
havens from prosecution, both due to corruption and the tyranny of distance (and jurisdiction) for
their victims.
$
EECGs
Jurisdiction & Political Issues
Internet Cloud
Internet Money
Mules
N
W
E
S
Victim Bank Customer
Figure 6.4: Theory of Cybercrime Operations
EECGs not bound by legality are able to utilise the global connectivity of the Internet to launch
attacks and direct activities in an efficient and timely manner to reach those victims using the
Internet and other information technologies. They also use the efficiencies of Internet Banking and
the extensive network of ATMs against Banks in committing these frauds and laundering the
proceeds. Thus the strength and scope of Western banking and information technology is used in
effect as in Judo (Kodokan Judo Scientific Research Group 2009), where the strength and weight of
the opponent is used against him. Apart from the banks’ technology, EECGs also use the largely deregulated international financial environment to their advantage. Western Union and MoneyGram’s
networks are used to repatriate funds back to Eastern Europe. In addition EECGs exploit the
limitations of technical security solutions where, as observed, any information that can be socially
engineered from the user will be, and any security solution needs to useable for the average bank
customer. Innovation is always on the EECGs’ side and banks can merely respond to new attack
methods and vectors. Ironically, the innovation that banks can drive is often opening up new
avenues for attack such as with banking on mobile platforms. The unrestricted tactical operations
124
that EECGs can now wage against Australians is one example of a broader theory of cybercrime
which might predict that there would be an increase in such activities given that the Internet makes
cross-jurisdictional theft as easy as stealing next door, but where jurisdictional protections make
these attackers relatively untouchable.
It is an arms race with each side escalating in turn; the banks on one side to overcome a new style of
attack and the Phishers on the other to overcome a new counter-measure. However, the EECGs will
always find a way to exploit legal and technical frameworks. Future research could compare the
Australian research with other Western nations (or advanced economies) to see if the same
predictions hold true; or, we perhaps could take a counter-example like China and see how it is
responding to the cybercrime threat, given the more extensive technical and social controls that the
Chinese Government is able to wield.
6.4
Eastern Europe the Engine of Cyber Warfare?
The transition in 2003 from hacking as a hobby (albeit illegal) to one with a profit motive has driven
much innovation in cybercrime. Phishing in particular with its high return on investment has
supported extensive cybercrime research and development. The EECGs have been central to this
with their access to excellent technical resources. Similar to the impact of World War 2 on
technology, many new attack vectors and methods have been developed in a short period at a speed
far greater than prior to 2003. The sophistication of botnets, vulnerability exploits, malware code
and social engineering methods are evidence of this. Zitmo is just a recent example. While
cybercrime is clearly an issue of significance for Western governments, since 2009, issues of
information warfare and cyber espionage have caused even greater concern in national security
circles. Developments in cybercrime like those technical developments during World War 2 have
impacted other areas but most particularly information warfare and cyber espionage.
6.4.1
Other Cyber Attacks
Quite apart from Phishing attacks on Internet banks, a lot of interest has been focused on cyber
espionage often attributed to China. If we are to examine the techniques documented in a number
of these attacks, they have great similarity to attacks used first in Internet bank phishing. This
includes the use of phishing e-mail hooks to download Trojans (Information Warfare Monitor 2010)
in attacks on Tibetan independence groups and use of Adobe PDF vulnerabilities to compromise
Gmail accounts of dissidents (Naraine 2010). Apart from espionage, cyber tools also can be used for
information warfare. The targeted attack on an Iranian nuclear reactor by the Stuxnet worm
(Greengard 2010) is similarly an extension of techniques and tools used in the phishing context by
EECGs. Phishing itself may have been developed by Russia’s Federal Agency for Government
Communications & Information (FAPSI) for information warfare purposes, and privatised with
FAPSI’s disbanding in 2003.
6.5
The scale of the Involvement in Phishing and Related Cybercrime in Australia by Eastern
European Cybercrime Groups
The scale of EECGs’ involvement has been demonstrated in this thesis by a number of methods. In
the second chapter the money laundering aspects of this crime were examined. In particular, data
was examined detailing each time the Australian Federal Police blocked an international transaction
which was the proceeds of phishing. The data covered the periods October 2004 to December 2005,
125
October 2006 to March 2007 and January 2009 to November 2010. In total 1416 transactions were
blocked and details recorded. Russia was consistently the highest recipient country with a total of
607 transactions accounting for 42.87% of the total. Ukraine took overall second place with 139
transactions accounting for 9.82% of the total. If we are to look at those countries, which were parts
of the former Soviet Union, they represent some 66%, or 791, of the total. The data shows a clear
nexus to that part of the world, which has remained consistent from 2004 to 2010. St Petersburg
accounted for 376, or 41%, of the total transactions where data for the city was available. This was
the highest by a factor of six and second highest per capita, with 81 transactions per one million of
population. St Petersburg is known as a hub for criminal activity (Europol 2009) and the home of
one of Russia’s major organised crime groups, Tambov. In the third chapter we examined the first
Phishing attacks on an Internet Banks starting in March 2003. Those early attacks involved Florida
provider E-Biz Web Hosting Solutions LLC that had at the time as its Chief Technology Officer, Alex
Mosh, alias Alex Mozhey. The Ukrainian Mosh is a well known spammer and was listed as number
one in the top spamming organisations worldwide in 2007 and has also been identified as hosting
Internet money mule recruiting sites (Spamhaus 2007). In the fifth chapter we examined features of
Phishing emails from an ethnographic perspective. That examination showed the majority of time
zone, character set and time of day data examined was consistent with Eastern Europe being the
source. Given this extensive analysis, there can be no doubt that EECGs are responsible for the
majority of Phishing and related cybercrime in Australia.
6.6
The Weaknesses that Allow Phishing and Related cybercrime by these Groups to Occur
In Section 6.10 we determine the weaknesses that allow Phishing and related cybercrime by these
groups to occur. These include the borderless Internet, the free flow of funds via the global financial
system, the limitations of technical solutions, Russia and Ukraine as a safe haven for cybercrime and
the law enforcement challenge in cross-jurisdictional operations.
6.7
The background and modus operandi of EECGs
In the various chapters on this thesis, we have examined the background and modus operandi of
EECGs including the history of phishing, the cybercrime marketplace and the features that have
made Eastern Europe a supportive environment for cybercrime. In Chapter Two we examined the
role of Internet money mules and other money laundering in phishing, which is key to the success of
the exercise. In the third chapter we examined the first Phishing attack on an Internet Bank in
March 2003 and a number of other early attacks. In these experimental attacks the phishers did not
go to great lengths to hide their identities or their methodology, as would be the case later. In that
chapter we also examined ethnographic aspects of Eastern Europe including the role of the Russian
Federal Agency for Government Communications & Information (FAPSI) in the development of
cybercrime. In Chapter Four we examined the cybercrime marketplace, which facilitates Phishing
attacks and allows for significant specialisation within and amongst Phishing groups. This work has
given a clear picture of the background and modus operandi of EECGs and more broadly that of
other cybercrime groups.
126
6.8
Future Research
6.8.1
Cyber Attack Attribution
One challenge in the research completed for this thesis was the difficult task of cybercrime
attribution or more broadly cyber attack attribution. This thesis has used data of international
money flows from the proceeds of Phishing from Australia, the examination of Phishing emails for
ethnographic artefacts, various business records registrations to identify individuals, and other case
studies to inform the process. Other attribution such as examples used by Kshetri (2010a) typically
relies on one of these factors in isolation and, while such examination is valid, it may indicate that
part of the activity has a nexus to that country but not much more, i.e. the United States hosts more
Phishing sites than Russia but that does not mean Americans are the perpetrators. Future research
should look at more formal models for attribution using multiple data points across various
information domains. Models used within intelligence analysis and other similar disciplines could
inform this research.
6.8.2
The Role of Tambovskaya (Tambov) in Phishing
While there is clear evidence of the involvement of Tambov in St Petersburg-based cybercrime,
further research could look at links between known Tambov entities and Phishing attacks on
Australia and other Western countries. This could be achieved using various methods, but given the
large business footprint of Tambov and a number of well known individuals associated with it,
researchers with access to Russian and St Petersburg business records may be able to demonstrate
clear links between Tambov and enterprises involved in Phishing attacks.
6.8.3
The role of Russian State Security Past and Present in Cybercrime
Even the limited information and research about Russian state security past and present
involvement in cybercrime, as summarised in Chapter Three, indicates this is an area that requires
further investigation. The activities of FAPSI prior to its disbandment and the ongoing actions of
former members of FAPSI recruited by organised crime and those now within the FSB could be
examined to identify the scope of their involvement in cybercrime.
6.8.4
Eastern European Local Money Mules
As described in Chapter Two once the proceeds of Phishing are sent via Western Union to Eastern
Europe, they are picked up by what can be described as “local money mules”. While there has been
research into Internet money mules and data of blocked Western Union transactions made
available, no research which closely examines this part of the Phishing attack model has been
conducted. The names and addresses for many of these people have been recorded (some may
well be assumed names) in the process of investigating many of these attacks, so there would be
opportunities to study them in more detail. This would help complete the picture of how the
proceeds of Phishing attacks are laundered.
6.8.5
Measuring the Effectiveness of an Institutions’ Controls by the Value of its Compromised
Credentials
As observed in Chapter Five, the operation of the cybercrime market means some bank credentials
are worth more than others, if they are more easily cashed and thus higher portion of the face value
127
can be realised. A measure of the effectiveness of a bank’s counter measures would therefore be its
credentials are worth less in the cybercrime market. Future research could examine these values
which may validate the effectiveness of the counter measures each institution takes.
6.9
Conclusion
This thesis has examined what is a complex, poorly understood and cross-disciplinary topic. The
research has been made more difficult by the need for operational security for law enforcement and
bank investigations. In addition many aspects of EECGs have limited sources available and much is
based on limited data or data of unknown quality. Also, EECGs themselves are by their nature
secretive. Despite this, the thesis has clearly added to the research in this area by identifying and
analysing a number of sources of empirical evidence for the scale of the involvement in Phishing and
related cybercrime in Australia by EECGs. It also provides important analysis of those activities
including modus operandi of these groups, explains the causes, placing it into its political and
historical context, develops a theory of cybercrime operations and proposes concrete options to
disrupt the activities on EECGs. The cross-disciplinary nature of the problem has inhibited
comprehensive applied research in this area, but it is hoped this research has advanced
understanding of the broader problem rather than just focusing on a specific technical aspect or
solution. However, one very specific message from this research is that transnational organised
criminal activity based around St Petersburg needs to have closer attention of Australian law
enforcement, particularly the Australian Federal Police and the Australian Crime Commission, if
there is any hope of protecting Australians from phishing and related cybercrime in the future.
6.10
References
McCombie S. Pieprzyk J. (2010) Winning the Phishing War: A Strategy for Australia, 2nd Workshop on
Cybercrime and Trusted Computing, University of Ballarat.
128
2010 Second Cybercrime and Trustworthy Computing Workshop
Winning the Phishing War:
A Strategy for Australia
Stephen McCombie
Josef Pieprzyk
Centre for Policing, Intelligence & Counter Terrorism
North Ryde, Australia
[email protected]
Department of Computing
North Ryde, Australia
[email protected]
can update themselves dynamically [15] to beat new enhanced
authentication methods used by Internet banks such as Tokens
and SMS codes. These new Trojans can even automate the
money laundering process.
Other than the method of
compromise the modus operandi of the attacks and the
underlying attack model has changed little. While a few early
attempts tried to directly send the money overseas via Overseas
Telegraphic Transfers (OTTs), the method has either been
removed or is so heavily monitored it is no longer a viable
option. The standard approach now is the use of Internet
money mules (further described below) who transfer the money
overseas via Western Union or Moneygram. It is proposed a
strategy, which firstly places more focus by Australian law
enforcement upon transactions via Western Union and
Moneygram in an effort to detect this money laundering, would
significantly impact the success of the Phishing attack model.
This combined with a technical monitoring of Trojan
technology and education of potential Internet money mules to
avoid being duped would provide a winning strategy for the
war on phishing for Australia.
Abstract—Phishing, a form of on-line identity theft, is a major
problem worldwide, accounting for more than $7.5 Billion in
losses in the US alone between 2005 and 2008. Australia was the
first country to be targeted by Internet bank phishing in 2003
and continues to have a significant problem in this area. The
major cyber crime groups responsible for phishing are based in
Eastern Europe. They operate with a large degree of freedom
due to the inherent difficulties in cross border law enforcement
and the current situation in Eastern Europe, particularly in
Russia and the Ukraine. They employ highly sophisticated and
efficient technical tools to compromise victims and subvert bank
authentication systems. However because it is difficult for them
to repatriate the fraudulently obtained funds directly they
employ Internet money mules in Australia to transfer the money
via Western Union or Moneygram. It is proposed a strategy,
which firstly places more focus by Australian law enforcement
upon transactions via Western Union and Moneygram to detect
this money laundering, would significantly impact the success of
the Phishing attack model.
This combined with a technical
monitoring of Trojan technology and education of potential
Internet money mules to avoid being duped would provide a
winning strategy for the war on phishing for Australia.
II.
Keywords: Cybercrime, Phishing, Eastern European organised
crime, Money laundering.
I.
A. The Phishing War
Avi Litan first used the term ‘War’ in this context declaring
in 2009, “The War on Phishing Is Far From Over” [13]. It is
rather apt to describe it as a war. The forces behind phishing
and those charged with fighting it are at war. In this war there
are battles and campaigns. There is also an arms race with
techniques and technology developed by cyber criminals to
subvert Internet banks and in turn by the banks and law
enforcement to respond. Both sides are highly organized and
bring considerable resources to the fight. There are tactics and
strategy for both sides. What the authors are proposing is a
strategy to win this war. A real strategy is not just following
the logical but a bold choice to target something others, in the
same position, may ignore. The US Department of Defense
define a strategy in the military context as,
INTRODUCTION
Phishing is a form of online identity theft that employs both
social engineering and technical subterfuge to steal victims'
personal identity data and financial account credentials [2].
Australia’s Internet banks have been subject to phishing attacks
since early 2003. The problem has continued to this date
without abatement. Globally phishing and related cybercrime
is responsible for annual losses of billions of US dollars.
Gartner have estimated the losses, just in the US, were over
USD$7.5 Billion in the three years to September 2008 [13].
The first phishing attacks against Internet banks globally were
against Australian Banks. However this was not a home-grown
problem. It is suspected those first few attacks in 2003 were
the work of Ukrainian spammers [22]. Eastern European cyber
criminals continue to play a major role in phishing attacks
against Australia and indeed are significant factor in the global
problem [23]. The early phishing attacks of 2003 were fake
bank websites and were created on commercial web hosts.
Those early methods have now been replaced by fast-flux
attacks using Botnets [3] and sophisticated key loggers which
978-0-7695-4186-0/10 $26.00 © 2010 IEEE
DOI 10.1109/CTC.2010.13
BACKGROUND OF PHISHING
“A prudent idea or set of ideas for employing the
instruments of national power in a synchronized and integrated
fashion to achieve theater, national, and/or multinational
objectives [27].”
At this point the phishing war is not being won and is at
best a stalemate with little end in sight. It is hoped the
79
129
sends a phishing email or Trojan lure email to thousands
perhaps millions of potential victims. A small percentage of
those receiving a phishing email actually respond by
confirming their account details in the fake banking website. A
greater percentage but still a small minority follow the link in a
Trojan lure email (e.g. Subject: Prime Minister survived a heart
attack) and have their personal computers compromised and a
key logging Trojan is loaded. When they then conduct their
next real session with their Internet bank their credentials are
captured (Phase 2). The victim has ‘clean money’ (c$) in their
bank account. In Phase 3, the potential Internet money mule is
approached with a job offer, which is usually advertised by
unsolicited spam email, Internet messaging and both fraudulent
and legitimate employment web sites. In order for the transfer
to take place mules need to supply their current bank account
details or if they choose set up a new account for this purpose
and supply those details (Phase 4).
suggested strategy will target the weakness in the phishing
attack model just as phishing attacks the weaknesses in Internet
banking and cross border policing.
B. Phishing 2003 and afterwards
While the term phishing dates from the early 1990s,
Internet bank phishing began in 2003. The first Internet bank
to be attacked was the Commonwealth Bank of Australia in
March 2003. It was quickly followed with attacks on ANZ,
Bank of America and Westpac. These attacks are suspected to
have been the work of Ukrainian spammers and in particular
Alex Mosh [22]. Spamhaus produce the Register of Known
Spam Operations (ROKSO) and they rank the top ten
spamming operations based upon the ROKSO database that
collates information and evidence on known professional spam
operations that have been terminated by a minimum of 3
Internet Service Providers for spam offenses. According to
Spamhaus, Mosh’s gang have figured in the top 10 spammers
globally for more than five years and are currently listed as
number 5 [26]. Mosh has also been identified with Internet
Money Mule recruitment and other associated criminal activity
[16][22].
Between March and early July 2003 there were only 7
discrete attacks globally [22], however by late 2003 a large
number of banks in Australia, United Kingdom, the United
States and New Zealand were being targeted. By early 2004
banks from all over, Western Europe, Canada and South Africa
became targets. The earliest statistics from the Anti Phishing
Working Group (APWG) show 21 phishing incidents in the
month of November 2003, 156 in December 2003 and 136 in
January 2004 [1]. The phishing sites at this time were primarily
located at large web hosting providers whose systems were
apparently compromised and used to set up the sites. This
method continued for some years even being the main method
observed during the examination of phishing attacks in July
2006 on one Australian financial institution [23]. But this
changed not long after with the use of botnets to host phishing
web sites becoming the dominant method.
Figure 1. Anatomy of an Internet Banking Fraud [4]
In Phase 5 the criminal transfers money from a
compromised bank account into the mules account. The mule,
simply doing what their ‘job’ requires, transfers this ‘dirty’
money (d$) – minus their fee – via financial transfer services
such as Western Union to an overseas address which is often as
we will see in Eastern Europe (Phase 6) [4].
By December 2009 some 249 different brands were
targeted by traditional phishing attacks (phishing email
directing victim to a fake website) with over 46,000 individual
phishing web sites detected. In the fourth quarter of 2009
Panda Labs identified over 3 million computers with password
stealing banking Trojans [2] the newer style of phishing. A
study in 2008 over seven months looking at a small sample of
seventy credential drop zones of Trojans identified over 10,000
compromised banks accounts and estimated their value on the
black market to be as high as $USD10 million [15]. In 2007 in
a two-week period the Trojan Zeus was responsible for losses
of USD$6 million from banks in the USA, Italy and Spain.
III.
B. Internet Money Mules
‘Internet money mules’ are those who, either knowingly or
unknowingly, launder money obtained from Internet fraud.
They are a key part of phishing and related cybercrime. While
the criminals who steal credentials can easily access Internet
Banks and perform transactions from the other side of the
world they cannot necessarily get the money into their own
hands so easily. They advertise for Internet money mules
through spam email, Internet messaging and both fraudulent
and legitimate employment web sites. They claim to be
legitimate employment opportunities with mules often
receiving between 7% to 10% of funds transferred via their
accounts as a commission. The cybercriminal transfers money
from a compromised bank account into the mules account. The
mule, simply doing what their ‘job’ requires, transfers the
PHISHING ATTACK MODEL
A. Anatomy of a Phishing Attack
The phishing attack model is fairly simple. A number of
the steps are able to be executed from anywhere in the world
with an Internet connection. While the precise method of
compromise has developed over time this attack model remains
largely unchanged. The first Phase in the Internet banking
fraud involves the targeting of the victim. The cyber criminal
80
130
fraudulently obtained funds – minus their fee – via financial
transfer services such as Western Union or Moneygram to an
overseas address [1]. Data collected by the Australian Federal
Police indicate that over 50% of these transactions relate to the
former Soviet Union with Russia being the largest single
recipient country [13].
In a number of Internet banking frauds in the United States
communication between the Internet money mule and the
organisers of the fraud has been obtained [17][18][19] see
figures 2-4. Internet money mules are told to direct the money
via the local Western Union office back to addresses in these
cases in the Ukraine.
Figure 4. Payment Instructions for Internet Money Mule [19]
Figure 2. Instruction to Internet Money Mule [17]
Figure 5. Internet Money Mule Registration [19]
Interestingly upon recruitment see figure 5 [19] Internet
Money Mules are asked to certify there is a local Western
Union office they can access.
C. Money Laundering
Money laundering is defined in Criminal Code Act 1995
(Cth) as dealing with money or property that is the proceeds of
crime. Under that legislation the penalties vary depending on
the level of culpability. There is similar legislation in each
state and territory with the exception of the Northern Territory.
While the actus reus (guilty act) for money laundering is
clearly present with Internet Money Mules the question arising
is the mens reas (guilty mind) present and is whose mind.
Clearly the architects of the transaction are culpable but what
about the mules themselves and the money transfer agents such
as Western Union and Moneygram?
It is widely accepted there are three stages in money
laundering. They are placement, layering and integration.
Placement is where the proceeds of crime are placed within the
financial system. Layering is where those proceeds are
separated from their source by layers of transactions, which
disguise the ownership of funds, and makes it more difficult to
Figure 3. Welcome to Internet Money Mule [18]
81
131
time to go to the Internet money mules account rather than the
intended recipient. Lastly whatever method is devised it needs
to have a good level of usability. Therefore having to key in
detailed transaction information into a small handheld token
device to obtain a unique authorisation code (which would foil
most of the current attacks) is not practical for the average
Internet bank user.
trace. Lastly integration is where the proceeds of crime re-enter
the financial system as apparently legitimate funds [10].
If we look at the phishing attack model, placement is where
the funds are moved from the victim’s account to the mules
account. Layering then occurs when the mule withdraws the
money in cash and then wires it via Western Union or
Moneygram. At this point we do not really see integration but
presumably after the money is withdrawn from Western Union
it is ultimately returned to the financial system.
C. The Safe Haven
If we examine the criminal network that supports Phishing
and related cybercrime we can see that it takes advantage of a
number of vulnerabilities in the way Internet Banking and Law
Enforcement operate. Cyber criminals operating anywhere in
the world can compromise Internet banking users and then
operate those victims’ accounts using Internet connections.
Banks who report these crimes to local Law Enforcement are
immediately frustrated. Law enforcement, which is based
around specific jurisdiction, is at best unwieldy across national
boundaries. This is even more the case where countries have
little formalised relationships at this level. Russia for instance
does not even allow for offenders to be extradited to the
country where the offence has been committed under any
circumstances. Offenders can be tried locally that requires a
significant commitment by a number of levels of the local
criminal justice system. Typically in the case of frauds against
foreign banks, which are viewed at the less serious end of
crime, this commitment is lacking. John Pironti, a banking
security expert, claims that as long as long as A-Z (the alleged
author of Zeus) remains in Russia, he is effectively beyond the
rule of law, since cybercrime against the West is such a low
priority for Russian Police [30][31]. In response to a question
about organized crime networks involved in phishing AHTCC
Commander Neil Gaughan, said,
D. Eastern Europe and Phishing
The involvement of Eastern European gangs, such as
Mosh’s, did not end in 2003. As recently as September 2009
Neil Gaughan the head of the Australian High Tech Crime
Centre (AHTCC) told a parliamentary enquiry that the majority
of cybercrime in Australia is driven by organised crime gangs
in Russia [7]. Nigel Phair former team leader from the AHTCC
saying in his book,
“A significant amount of internet-enabled crime including
Phishing and denial of service attacks … is perpetrated from
within the states which comprise the former Soviet Union.
[25]”
Previous research has demonstrated the significant role
Eastern Europeans play in phishing and related cybercrime
particularly those from Russia and Ukraine [11][23]. These
groups are highly organised, entrepreneurial and experienced in
money laundering. While they are not alone in this space with
groups from Nigeria and Brazil also identified they are by far
the largest and best organised cyber criminals. Because of this
they make responding to this crime all the more difficult for
banks and law enforcement.
IV.
THE WEAKNESSES THAT ALLOW PHISHING TO SUCEED
“We have done some mapping in relation to money
laundering and issues such as that. We use the internet (sic) to
map where these sites have gone and most of them are going
back to Eastern Europe. When you have the difficulty of
jurisdictional type discussions.[7]”
A. The Borderless Internet
The Internet has changed the paradigm of crime forever.
Now criminals and criminal groups have global reach in a way
that Italian Mafia and Asian Triads could only have dreamed in
the past. Not only are they free to target victims throughout the
world they can co-ordinate their activities across multiple
countries as well all from the comfort of their Dacha on the
outskirts of Kiev. East European groups with their high level of
technical education [22] and resources have been particularly
quick to embrace the Internet. This has combined with the
opening up of the world economy and the relatively free flow
of funds globally.
So while the source of the problem is recognized the
problem of what has become a virtual safe haven for
cybercrime comes into play. It is upon this law enforcement
challenge, which the successful attack model is based.
D. Law Enforcement Challenge
There should be no “legal vacuum” [20] for offences
committed from within Eastern Europe. Clearly cybercrimes
are not the first offences to have international crossjurisdictional issues. While in those non-cybercrime cases it
was more common for offenders to flee jurisdictions than
actually commit the offences from the other jurisdiction it still
does happen. A particular example is in large international
drug conspiracy cases which have been successfully prosecuted
for more than 30 years. But it takes time and a degree of
commitment by all sides.
B. Limitations of Technical Solutions
Since 2003 the IT security industry looked for technical
solutions to phishing. In the last few years Internet banks have
introduced a number of technical security innovations. These
include the use of tokens (which provide a one time password),
challenge and response mechanisms (using battleship cards)
and codes sent to phones via SMS to authorise transactions.
While it would seem such methods would prevent these attacks
this has not been the case. Essentially any information that can
be socially engineered from the user will be. The computer
platform itself cannot be trusted and Trojans, like Zeus, will sit
in the middle of an authorised transaction and change it in real
The model for police law enforcement co-operation
internationally has two main elements. There is police-topolice assistance and this relates to things such as general
intelligence exchange, and information obtained from
voluntary interviews and is generally brokered via Interpol
82
132
took advantage of direct Overseas Telegraphic Transfer banks
quickly identified this [4]. The banks then either removed this
functionality or delayed payments so they could be manually
reviewed. This led to the need for Internet money mules.
These mules were needed to draw the money out in cash and
then transfer it via Western Union or Moneygram back to the
next level. The mules themselves who are ultimately dupes are
expendable. However the real weakness is the money needs to
be transferred by Western Union or Moneygram. Without
Western Union or Moneygram the money would never make it
back into the hands of the cyber criminals. Clearly Western
Union and Moneygram obey the law and have worked with
industry to warn users of being used as Internet money mules.
However a review of the material Western Union supply to
customers shows they could be a lot more explicit in warning
customers and perhaps more proactive in identifying fraudulent
transactions.
[20]. In addition the Australian Federal Police operate a
network of International Liaison Officers (ILOs) worldwide
often with some sort of formal co-operation agreement with a
law enforcement partner in the other countries. Then there is
mutual assistance, which provides for use of coercive powers
such as search warrants, which is handled by the Federal
Attorney General’s Department liaising with their equivalent in
the other country.
One of the authors had first hand experience in dealing with
both these modes of gaining assistance in the mid 1990s in a
large fraud investigation. The police to police inquiry to work
out whether an individual (the main suspect) in a major fraud
was in Hong Kong took over six months and the mutual
assistance application to obtain banking records took nearly
two years. Is it any different now with Cybercrime? Let us
look at what happened after the first phishing attacks against
banks in Australia in 2003. The attack against Westpac Bank
occurred on 4 July 2003. Westpac’s lawyers immediately
contacted the Australian Federal Police but the matter was left
till the following week to go to the ILO in Washington, Federal
Agent Kevin Zuccato (by chance a future Australian High Tech
Crime Centre Director). He worked hard to get some traction
with his FBI colleagues but according to the owner of the
company which hosted the hardware the phishing sites were
on, FBI agents did not turn up on his doorstep till September
2003 over two months later [13]. From an evidentiary
perspective this may well have been fatal to the case. Logging
in IT Hosting companies is limited at the best of times and
critical data which could identify the source of traffic may be
lost forever after even a few weeks. In addition any follow up
investigation of data found (such as IP source of those setting
up the phishing sites in this case) would in turn be significantly
delayed with a similar knock on effect.
B. Could Western Union Do More?
Western Union was founded over 150 years ago in the
United States and has a reputation as a good corporate citizen.
To discourage Internet money mules they have issued security
bulletins and worked with law enforcement and victim banks.
However there is an opportunity for them to do more. On
Western Union’s information sheet on job scams, titled
“Dream Job Only a Dream?”, it states,
“Job scams may vary…The key is this; scam artists will
always require some type of payment before employment can
take place.”
Not so with Internet money mule jobs scams. Mules are
not expected to put up any money. This advice relates to
victims of scams who are sending their own money overseas
and not those acting as “agents” for fraudsters. Western Union
have further information sheet titled “When Easy Money Isn’t
Easy” which addresses this scenario but its title is somewhat
confusing and would seem more about lottery scams and the
like. Also customers are not told to voice their concerns to
agency staff rather are directed to further educational material
or a 1-800 number, which does not work in Australia.
The Cybercrime Convention was developed to handle many
of these issues including,
“Recognising the need for co-operation between States and
private industry in combating cybercrime and the need to
protect legitimate interests in the use and development of
information technologies; (and) Believing that an effective
fight against cybercrime requires increased, rapid and wellfunctioning international co-operation in criminal matters;”
While Australia and the Ukraine are signatories at present,
Russia is not. The authors are not aware whether the treaty has
led to a greater degree of co-operation from the Ukraine and to
date there have been no arrests in the Ukraine of cyber
criminals for crimes in the West. The Ukrainians that have
been arrested, it should be noted, were travelling outside of
Eastern Europe when picked up.
V.
THERE IS A WEAKNESS IN THE PHISHING ATTACK
MODEL
A. Following the Money
Thus we have these safe havens for cybercrime where
offenders are free to use the Internet to commit crimes but
highly unlikely to face arrest and punishment for these crimes.
There is a weakness in the criminal network too. To identify it
we simply as the old parlance says “Follow the money”.
While a few incidents of early Internet banking fraud in 2003
Figure 6. Warning on form states “ Your funds could be at risk” which for
Internet money mules is not the case.
While Western Union have co-operated with law
enforcement and the banks to trace and stop payments,
anecdotally it appears the only time that they pro-actively
identify fraudulent transactions is when the recipient has
83
133
already been the subject of a previous fraudulent transaction. If
they were profile transactions based on recipient country,
amount and other values they would be able to identify other
fraudulent transactions. In 2007 whilst working for a major
Australian bank one of the authors became aware that when
transactions from frauds were being stopped upon request of
victim banks or law enforcement, Western Union would keep
the commission on the transaction. This commission keeping
practice was also confirmed by staff at another major bank.
Inadvertently Western Union was benefiting from the proceeds
of the fraud. It is understood that they have since ceased this
practice but Western Union and Moneygram need to do more
to help prevent this crime.
VI.
•
•
•
•
•
•
•
WHAT SHOULD WE DO?
A. What should the Australian Government do?
This definition would certainly describe the Eastern
European Cybercrime groups. They should be priority targets
of the ACC if they are not already. In addition money
laundering is a focus area for the ACC. If the ACC were to
specifically focus on the money laundering of these cybercrime
groups by using data on Western Union and Moneygram
transfers to suspicious countries based on Intelligence readily
available form AUSTRAC they would soon build a profile of
what is occurring. They could for instance flag any cash
transaction going from Australia to Russia, Ukraine and
Moldova from a person with a surname, which is not Eastern
European in origin. While this may not stop the particular
transaction it would provide useable intelligence for law
enforcement and data to identify where more due diligence was
required by Western Union and Moneygram. Similarly
transactions to Nigeria (the home of the 419 scam) by those
with non-African names would similarly identify potential
level of fraud exposure via this channel.
1) AUSTRAC
The Australian Transaction Reports and Analysis Centre
(AUSTRAC) are Australia’s anti-money laundering and
counter-terrorism financing regulator. One of the main pieces
of legislation they operate under is the Financial Transaction
Reports Act 1988. That act sets out the requirements of
financial organisations such as banks and Western Union in
regard to reporting suspicious transactions.
“If at any time while dealing with a customer (from the
enquiry stage to the actual provision of a designated service or
later), a reporting entity forms a suspicion on a matter that they
suspect may be related to an offence, tax evasion, or the
proceeds of crime, they must provide a report to
AUSTRAC[8].”
Their regulatory guide on what should be considered when
assessing whether a transactions is suspicious includes,
3) Proactive Government Action
In Australia these government bodies are specifically
tasked with looking at international money laundering. If these
bodies took a specific reference on these activities and look at
data available from Western Union and Moneygram, as
suggested, it may prove to significantly reduce the incidence of
money laundering via this method. The difficulty to date is that
the individual amounts have been small and opportunities to
recover monies for funding anti money laundering operations
are limited as the victim banks typically have a claim to funds
recovered.
“(T)ransactions involving known tax havens, narcotic
source or transit countries (and) movements by a customer of
large amounts of cash that have no apparent legitimate
source[8].”
If such a suspicion was formed when an Internet money mule
attempted to send cash via Western Union or Moneygram by
staff, Western Union should report the matter to AUSTRAC.
In addition to suspicious transactions AUSTRAC also gather
data on all international funds transfer instructions, which
would naturally cover Internet money mule transfers to Eastern
Europe. This data is available to various Australian law
enforcement agencies and could be used for profiling.
4) Legislative Change
It may well be that the current legislation in place is
sufficient to proactively combat this money laundering
problem. There may however also be scope for specific
legislation where there is an increased onus on organisations
and individuals that transfer money across national boundaries
to establish they are not the proceeds of crime.
2) Australian Crime Commission
The Australian Crime Commission (ACC) formed in 2003,
essentially to replace the National Crime Authority, the
Australian Bureau of Criminal Intelligence and the Office of
Strategic Crime Assessment. Amongst its key target areas are
high threat organised crime groups. It defines these groups as
having the following characteristics.
•
•
have a broader geographical presence and will
generally operate in two or more jurisdictions
operate in multiple crime markets
are engaged in financial crimes such as fraud and
money laundering intermingle legitimate and
criminal enterprises
are fluid and adaptable, and able to adjust activities to
new opportunities or respond to pressures from law
enforcement or competitors
are able to withstand law enforcement interventions
and rebuild quickly following disruption
are increasingly using new technologies
use specialist advice and professional facilitators.[5]”
5) Destroying the Safe Havens
While the issues of law enforcement co-operation in Russia
and Ukraine may seem apparently insolvable, there are signs of
opportunities to remove the safe havens. Romania who have a
history as a source of cybercrime have in recent years opened
their borders to US law enforcement and the E-Bay Safety
team in an effort to reduce this problem. In March this year,
have transnational connections
have proven capabilities and involvement in serious
crime of high harm levels including illicit drugs,
large scale money laundering and financial crimes
84
134
did before so you need to make choices. So if we are to focus
on the money laundering aspects along with technical
surveillance what can we stop doing or at least reduce the effort
with? Clearly phishing site shutdowns have limited effect
given the various techniques used to frustrate them such as fast
flux; a phishing site hosting technique where the nodes in a
Botnet are used as the endpoints and the DNS records change
frequently [15] [3]. Conversely often still-active phishing sites
provide more intelligence to responders.
FBI Director Robert Mueller in a speech to the RSA
conference said,
“And we have worked with the Romanian National Police
to arrest more than 100 Romanian nationals in the past 18
months. Four years ago, several American companies
threatened to cut cyber ties with Romania because of the
rampant hacking originating from that country. And yet today,
Romania is one of our strongest partners.[14]”
This rapprochement with the west seems to be largely
driven by a desire to become part of the European Union (EU),
which is not on the agenda of Russia or the Ukraine. Despite
this there are some small signs of progress in Russia. In March
this year the Russian Federal Security Service (FSB) arrested
St Petersburg hacker Victor Pleshchuk in connection with large
Cyber-fraud on RBS Worldpay in late 2008, one of first arrests
on Russian soil of a cyber criminal wanted in the West [24].
The involvement of the FSB is significant, as these matters
would routinely be dealt with by St Petersburg Police or
Division K of the Interior Ministry (who are focused on
computer crime). This may well indicate the priority placed on
this cybercrime by the Russian Government or that at this point
the reliability of those other agencies is still in question.
D. Difficulties
While the strategy proposed is based upon the current threat
it is clear the threat itself is Machiavellian, thus it will change
to counter preventative strategies. Already the use of Internet
money mules is being supplanted in some cases in the United
Kingdom. What we could call “International Money Mules”
are being sent from Eastern Europe by car into the United
Kingdom to withdraw funds directly and return. While this
removes Western Union and Moneygram from the picture it
does expose the practice to interception at the United
Kingdom’s borders and those who unlike the Internet money
mule have some criminal culpability in the offence to arrest.
Australia is clearly a different case where our remoteness from
Europe makes this impractical.
B. What Should Industry Do?
VII. CONCLUSION
1) Education
The Internet money mules themselves are too a key part of
this network for without them these transaction would not be
able to be completed. Therefore we need to educate potential
Internet Money Mules about their involvement in this crime.
They will never make any money from being an Internet
Money Mule and could potentially be prosecuted. This
education needs to be targeted both the point where Internet
Money Mules are recruited and at where they operate. Work in
this area indicates there is a strong gender bias towards Internet
money mules being males and the 24-36 age group. This is
even greater when the element of potential criminal intent
exists. The bias progressively increases as the age of the money
mule increases [4].
In this paper the authors have presented a winning strategy
for the war on phishing. This strategy is based on areas where
there are weaknesses in the phishing attack model. The
proposed strategy is firstly to focus law enforcement efforts on
money transfer agents such as Western Union and Moneygram.
Secondly, government’s need to bring pressure to bear on the
governments of Eastern Europe to ensure there is no “legal
vacuum” or safe haven in which cyber criminals can operate.
This while largely aspirational has parallels in recent times
with efforts to get Romania to clean up its act. Thirdly, a focus
by the IT Security community should be on sources of
technical intelligence from Phishing infrastructure where there
is good scope to recover compromised customer credentials,
identify Internet money mule accounts and monitor attack
development. Lastly, the banking industry should focus on
educating potential Internet Mules Money to prevent them
being duped into money laundering. With this focus the
authors believe the success rate for these fraudulent
transactions will greatly reduce to the point where the practice
becomes no longer viable for these cybercrime groups and they
look for easier targets, as they look at cost vs. benefit as in the
end of the day they are a business, albeit an illegal one.
2) Monitoring the IT threat
Another aspect of the problem is the advancing
sophistication of the schemes to attack Internet banking
organisations and their customers. The Zeus Trojan using a
series of configuration files which it downloads when needed
to target particular brands and their particular authentication
system [7]. It also can download the details of mule accounts
to transfer money directly to. But this creates opportunities for
both operational and tactical intelligence. Configuration files
identify targeted brands, styles of attack and existing Internet
Money Mules. This intelligence can be used in interdiction of
fraudulent transactions and designing more effective defenses
for attacks. While this is often a complex task it is more a
matter of using a small number of highly skilled staff rather
than a huge number of operations style staff that today are
involved in phishing site takedowns and other activities which
lend themselves to process style functions.
REFERENCES
[1]
[2]
[3]
[4]
C. A True Strategy
A true strategy has a downside. It means you have to
redirect your resources. You do not get to do all the things you
85
Anti-Phishing Working Group, “Phishing Attack Trends Report,” 2004;
http://www.antiphishing.org/reports/APWG.Phishing.Attack.Report.Feb2004.pdf.
Anti-Phishing Working Group, “Phishing Attack Trends Report 4th
Quarter
2009,”
2010;
http://www.antiphishing.org/reports/apwg_report_Q4_2009.pdf.
Arbor Networks, “Global Fast Flux,” 2010.
M. Aston, McCombie S., Reardon B., and Watters P., “A Preliminary
Profiling of Internet Money Mules: An Australian Perspective,” Book A
Preliminary Profiling of Internet Money Mules: An Australian
135
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28] F. Walker, “Gone phishing ... gangs using Aussie kids to steal millions,”
Book Gone phishing ... gangs using Aussie kids to steal millions, Series
Gone phishing ... gangs using Aussie kids to steal millions, ed., Editor
ed.êds., 2006, pp.
[29] D. Warne, “Romania a global hotspot for eBay fraud,” 2007;
[30] K. Zenz, Uncovering Online Fraud Rings: The Russian Business
Network., IDefense, Verisign, 2007.
[31] K. Zenz, Global Threat Research Report: Russia, iDefense, Verisign,
2007.
Perspective, Series A Preliminary Profiling of Internet Money Mules:
An Australian Perspective, ed., Editor ed.êds., 2009, pp.
Australian Crime Commission, Organised Crime in Australia, 2009.
Australian Crime Commission, Australian Crime Commission Annual
Report, Australian Crime Commission, 2010.
Australian Government, “Inquiry into Cybercrime,” Book Inquiry into
Cybercrime, Series Inquiry into Cybercrime, ed., Editor ed.êds., 2009,
pp.
Australian Transactions Reporting and Analysis Centre, “AUSTRAC
Regulatory
Guide
”
2009;
http://www.austrac.gov.au/regulatory_guide.html.
BobBear, “Money Laundering and Reshipping Fraud,” 2010.
A. Deitz and College of Law (Sydney N.S.W.). Continuing Professional
Education Dept., Anti-money Laundering and Counter-Terrorism
Financing Act : a presentation for the Continuing Professional Education
Department of the College of Law, The CPE Dept. of the College of
Law, 2007, p. i, 32 p.
M. Galeotti, “Russian mafiya become more active in Eastern Europe,”
2005;
http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n
.shtml.
M. Galeotti, “The Criminalisation of Russian State Security,” Global
Crime vol. 7, no. Number 3-4, 2006.
Gartner, “Gartner Says Number of Phishing Attacks on U.S. Consumers
Increased
40
Percent
in
2008,”
2009;
http://www.gartner.com/it/page.jsp?id=936913.
D. Goodin, “Notorious eBay hacker arrested in Romania,” 2008;
T. Holz, M. Engelberth, and F. Freiling. , “Learning More about the
Underground Economy: A Case-Study of Keyloggers and Dropzones,”
ESORICS 2009 LNCS 5789, M. Backes, and P.Ning, ed., Springer,
2009, pp. 1-18.
iDefense, Money Mules: Sophisticated Global Cyber Criminal
Operations Verisign, 2006.
B. Krebs, “More Business Banking Victims Speak Out,” 2009;
http://voices.washingtonpost.com/securityfix/2009/09/more_business_ba
nking_victims.html.
B. Krebs, “'Money Mule' Recruitment Network Exposed,” 2009;
http://voices.washingtonpost.com/securityfix/2009/09/money_mule_recr
uitment_101.html.
B. Krebs, “FDIC: Uptick in 'money mule' scams,” 2009;
http://voices.washingtonpost.com/securityfix/2009/11/fdic_uptick_in_m
oney_mule_scam.html.
D. Lanham, Cross-border criminal law, Pearson Professional, 1997, p.
xxxvii, 289 p.
S. Martin, “International Field Report : Australia,” Book International
Field Report : Australia, Series International Field Report : Australia,
ed., Editor ed.êds., 2007, pp.
S. McCombie, “Trouble in Florida: The Genesis of Phishing attacks on
Australian Banks,” Book Trouble in Florida: The Genesis of Phishing
attacks on Australian Banks, Series Trouble in Florida: The Genesis of
Phishing attacks on Australian Banks, ed., Editor ed.êds., 2008, pp.
S. McCombie, et al., “Cybercrime Attribution: An Eastern European
Case Study,” Proc. The 7th Australian Digital Forensics Conference,
secau - Security Research Centre, School of Computer and Security
Science, Edith Cowan University, Perth, Western Australia, 2009, pp. 41
- 51.
J. Menn, “Moscow cracks down on cybercrime,” 2010;
http://www.ft.com/cms/s/0/371526da-350b-11df-9cfb00144feabdc0.html.
N. Phair, Cybercrime : the reality of the threat, Nigel Phair, 2007, p. 179
p.
The Spamhaus Project, “The 10 Worst ROKSO Spammers,” 2010;
http://www.spamhaus.org/statistics/spammers.lasso.
US Department of Defense, “DOD Dictionary of Military Terms,” 2010;
http://www.dtic.mil/doctrine/dod_dictionary/.
86
136
REFERENCES
Abad, C. (2006). "The Economy of Phishing: A Survey of the Operations of the Phishing
Market."
Retrieved 23 August 2006 from
http://www.firstmonday.org/issues/issue10_9/abad/index.html.
Abramova, I. (2007). "The Funding of Traditional Organised Crime in Russia." Economic Affairs
27(No.1): 18-21.
Abu-Nimeh, S., D. Nappa, et al. (2007). A comparison of machine learning techniques for
phishing detection. Proceedings of the anti-phishing working groups 2nd annual eCrime
researchers summit. Pittsburgh, Pennsylvania, ACM: 60-69.
APACS. (2006). "UK card fraud losses in 2005 fall by £65m - to £439.4m from £504.8m in 2004 "
Retrieved 2 March, 2007, from
http://www.apacs.org.uk/media_centre/press/06_03_07.html.
APACS. (2007). "Card fraud losses continue to fall."
Retrieved 20 March 2007 from
http://www.apcs.org.uk.
Aston, M., S. McCombie, et al. (2009). A Preliminary Profiling of Internet Money Mules: An
Australian Perspective. Proceedings of the 2009 Symposia and Workshops on
Ubiquitous, Autonomic and Trusted Computing, IEEE Computer Society: 482-487.
Australia Federal Police. (2010). "High Tech Crime: AFP casts a wide Net."
Retrieved 30
March 2011, 2011, from
http://www.afp.gov.au/about-the-afp/our-organisation/~/media/afp/pdf/h/high-tech-c
rime-afp-casts-a-wide-net.ashx.
Australian Bureau of Statistics (2007). Patterns of internet access in Australia, 2006. Canberra,
Australian Bureau of Statistics.
Australian Bureau of Statistics (2008). Personal Fraud, 2007. Canberra, Australian Bureau of
Statistics.
Australian Government (2009). Hackers, Fraudsters and Botnets: Tackling the Problem of Cyber
Crime. Inquiry into Cyber Crime. House Standing Committee on Communications.
Canberra, Parliament of Australia House of Representatives.
137
Australian Institute of Criminology (2007) "Money Mules." High Tech Crime Brief 16, 2007.
Author Travis Group. (2005, September 2005). "Who Wrote Sobig? ." from
http://authortravis.tripod.com/.
Badra, M., S. El-Sawda, et al. (2007). Phishing attacks and solutions. Proceedings of the 3rd
international conference on Mobile multimedia communications. Nafpaktos, Greece,
ICST (Institute for Computer Sciences, Social-Informatics and Telecommunications
Engineering): 1-6.
Basnet, R., S. Mukkamala, et al. (2008). Detection of Phishing Attacks: A Machine Learning
Approach. Soft Computing Applications in Industry. B. Prasad, Springer Berlin /
Heidelberg. 226: 373-383.
Belton, C. (2003, 2003). "New Book Poses Question of Putin's Links with Underworld." from
http://www.sptimes.ru/index.php?action_id=2&story_id=11164.
Birk, D., S. Gajek, et al. (2007). Phishing Phishers - Observing and Tracing Organized Cybercrime.
Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference
on.
Broucek, V. and P. Turner (2006). "Winning the Battles, Losing the War? Rethinking
Methodology for Forensic Computing Research." Journal in Computer Virology 2(1):
3-12.
Carr, J. and L. Shepherd (2010). Inside cyber warfare. Sebastopol, Calif., O'Reilly Media, Inc.
Chandrasekaran, M., K. Narayanan, S. Upadhyaya (2006). Phishing Email Detection Based on
Structural Properties. NYS Cyber Security Conference 2006, New York.
Chandrasekaran, M., R. Chinchani, et al. (2006). PHONEY: Mimicking User Response to Detect
Phishing Attacks. Proceedings of the 2006 International Symposium on on World of
Wireless, Mobile and Multimedia Networks, IEEE Computer Society: 668-672.
Cody, J., H. Hughes, et al. (1980). Policies for industrial progress in developing countries. New
York, Published for the World Bank by Oxford University Press.
Cronin, M. J. (1997). Banking and finance on the Internet. New York, Van Nostrand Reinhold.
Dantu, R., S. Palla, et al. (2008). "Classification of phishers." Journal of Homeland Security and
Emergency Management 5(1):
138
Dazeley, R., J. Yearwood, et al. (2010). Consensus Clustering and Supervised Classification for
Profiling Phishing Emails in Internet Commerce Security. Knowledge Management and
Acquisition for Smart Systems and Services. B.-H. Kang and D. Richards, Springer Berlin /
Heidelberg. 6232: 235-246.
Dean, G., P. Gottschalk, et al. (2010). Organized crime : policing illegal business
entrepreneurialism. Oxford, Oxford University Press.
del Castillo, M., A. Iglesias, et al. (2007). Detecting Phishing E-mails by Heterogeneous
Classification. Intelligent Data Engineering and Automated Learning - IDEAL 2007. H. Yin,
P. Tino, E. Corchado, W. Byrne and X. Yao, Springer Berlin / Heidelberg. 4881: 296-305.
del Castillo, M., Á. Iglesias, et al. (2007). An Integrated Approach to Filtering Phishing E-mails.
Computer Aided Systems Theory – EUROCAST 2007. R. Moreno Díaz, F. Pichler and A.
Quesada Arencibia, Springer Berlin / Heidelberg. 4739: 321-328.
Devarakonda, A. K., P. Tummala, et al. (2010). Security Solutions to the Phishing: Transactions
Based on Security Questions and Image. Information Processing and Management. V. V.
Das, R. Vijayakumar, N. C. Debnathet al, Springer Berlin Heidelberg. 70: 565-567.
Dhamija, R., J. D. Tygar, et al. (2006). Why phishing works. Proceedings of the SIGCHI
conference on Human Factors in computing systems. Montr\&\#233;al, Qu\&\#233;bec,
Canada, ACM: 581-590.
Fette, I., N. Sadeh, et al. (2007). Learning to detect phishing emails. Proceedings of the 16th
international conference on World Wide Web %@ 978-1-59593-654-7, Banff, Alberta,
Canada, ACM.
Finckenauer, J. O. and J. L. Schrock (2004). The prediction and control of organized crime : the
experience of post-Soviet Ukraine. New Brunswick, N.J., Transaction Publishers.
Florencio, D. and C. Herley (2010). Phishing and money mules. Information Forensics and
Security (WIFS), 2010 IEEE International Workshop on.
Florêncio, D. and C. Herley (2006). Analysis and Improvement of Anti-Phishing Schemes.
Security and Privacy in Dynamic Environments. S. Fischer-Hübner, K. Rannenberg, L.
Yngström and S. Lindskog, Springer Boston. 201: 148-157.
Friedman, R. I. (2000). Red Mafiya : how the Russian mob has invaded America. Boston, Little,
139
Brown.
Galeotti, M. (2005, 24 May 2005). "Russian mafiya become more active in Eastern Europe."
from http://www.janes.com/security/law_enforcement/news/jir/jir050524_1_n.shtml.
Galeotti, M. (2006). "The Criminalisation of Russian State Security." Global Crime 7(Number
3-4).
Galeotti, M. (2008). Interview with Author.
Gansterer, W. and D. Pölz (2009). E-Mail Classification for Phishing Defense. Advances in
Information Retrieval. M. Boughanem, C. Berrut, J. Mothe and C. Soule-Dupuy, Springer
Berlin / Heidelberg. 5478: 449-460.
Gartner. (2009). "Gartner Says Number of Phishing Attacks on U.S. Consumers Increased 40
Percent in 2008." from http://www.gartner.com/it/page.jsp?id=936913.
Glenny, M. (2008). McMafia : a journey through the global criminal underworld. New York,
Knopf Books.
Goodin, D. (2008). "Notorious eBay hacker arrested in Romania." from
Gottschalk, P. (2010). Policing organized crime : intelligence strategy implementation. Boca
Raton, CRC Press.
Herley, C., D. Florencio, et al. (2008). A profitless endeavor: phishing as tragedy of the
commons. Proceedings of the 2008 workshop on New security paradigms. Lake Tahoe,
California, USA, ACM: 59-70.
Herley, C. and D. Florencio (2010). "Nobody Sells Gold for the Price of Silver: Dishonesty,
Uncertainty and the Underground Economy." Economics of Information Security and
Privacy: 33-53 320.
Holt, T. J. and A. M. Bossler (2009). "Examining the Applicability of Lifestyle-Routine Activities
Theory for Cybercrime Victimization." Deviant Behavior 30(1): 1 - 25.
Holt, T. J. and E. Lampke (2010). "Exploring stolen data markets online: products and market
forces." Criminal Justice Studies: A Critical Journal of Crime, Law and Society 23(1): 33 50.
Holz, T., M. Engelberth, et al. (2009). Learning More about the Underground Economy: A
140
Case-Study of Keyloggers and Dropzones. Computer Security – ESORICS 2009. M. Backes
and P. Ning, Springer Berlin / Heidelberg. 5789: 1-18.
Hutchings, A. and H., Hennessey (2009). "Routine Activity Theory and Phishing Victimisation:
Who Gets Caught in the 'Net'?" Current Issues in Criminal Justice 20(No. 3): 433-451.
iDefense (2006). Money Mules: Sophisticated Global Cyber Criminal Operations Verisign.
Information Warfare Monitor (2010). Shadows in the Cloud: Investigating Cyber Espionage 2.0,
Information Warfare Monitor.
International Telecommunication Union. (2008). "Internet indicators: subscribers, users and
broadband subscribers: 2008." from
http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI
/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1.
Jackson, C., D. Simon, et al. (2007). An Evaluation of Extended Validation and Picture-in-Picture
Phishing Attacks. Financial Cryptography and Data Security. S. Dietrich and R. Dhamija,
Springer Berlin / Heidelberg. 4886: 281-293.
Jagatic, T. N., N. A. Johnson, et al. (2007). "Social phishing." Commun. ACM 50(10): 94-100.
Jakobsson, M. (2005). "Modeling and Preventing Phishing Attacks."
Jakobsson, M. and S. Myers (2007). Phishing and countermeasures : understanding the
increasing problem of electronic identity theft. Hoboken, N.J., Wiley-Interscience.
James, L. (2005). Phishing Exposed. Rockland MA Syngress Publishing.
Juan, C. and G. Chuanxiong (2006). Online Detection and Prevention of Phishing Attacks.
Communications and Networking in China, 2006. ChinaCom '06. First International
Conference on.
Karlof, C., U. Shankar, et al. (2007). Dynamic pharming attacks and locked same-origin policies
for web browsers. Proceedings of the 14th ACM conference on Computer and
communications security. Alexandria, Virginia, USA, ACM: 58-71.
Karrstrand, K. (2007). "The Baltic connection - Money laundering in the Baltic region." Janes
Intelligence Review; Serious and Organised Crime.
Keegan, J. (2004). Intelligence in War. London, Random House.
Kerber, R. (2007). "Suspect named in TJX credit card probe: Ukrainian's arrest seen as break in
141
record fraud case." from
http://www.boston.com/business/globe/articles/2007/08/21/suspect_named_in_tjx_cr
edit_card_probe/.
Kornakov, P. (2007). "Gibson offers sneak peek into his world." from
http://www.cambridge-news.co.uk/business/news/2007/02/06/ca10f0fb-fa50-4e49-b8
d4-51b8c359075a.lpf.
Krebs, B. (2006). "In the Fight Against Spam E-Mail, Goliath Wins Again." from
http://www.washingtonpost.com/wp-dyn/content/article/2006/05/16/AR20060516018
73.html.
Krebs, B. (2008). "Three Charged With Hacking Dave & Buster's Chain ", from
http://voices.washingtonpost.com/securityfix/2008/05/three_charged_with_hacking_d
av.html.
Kreizer, G. (2005). Dutch Botnet Trio Reportedly Connected To Russian Mob.
Kshetri, N. (2009). "Positive externality, increasing returns, and the rise in cybercrimes."
Commun. ACM 52(12): 141-144.
Kshetri, N. (2010). "The Economics of Click Fraud." Security & Privacy, IEEE 8(3): 45-53.
Kshetri, N. (2010). The global cybercrime industry : economic, institutional and strategic
perspectives. New York, Springer.
Landgraaf, A. d. (2006). "E-Secure-IT Analysis of the “Rocky” Phish."
Retrieved 20 March
2007, from http://ims.co.nz/blog/archive/2006/06/07/1813.aspx.
Lesk, M. (2007). "The New Front Line: Estonia under Cyberassault." IEEE Security and Privacy
5(No.4 July/Aug. 2007): pp.76-79.
Litan, A. (2005). Increased Phishing and Online Attacks Cause Dip in Consumer Confidence.
Gartner Research, Gartner.
Lu, C., W. Jen, et al. (2007). Trends in Computer Crime and Cybercrime Research During the
Period 1974-2006: A Bibliometric Approach. Intelligence and Security Informatics. C.
Yang, D. Zeng, M. Chauet al, Springer Berlin / Heidelberg. 4430: 244-250.
Ludl, C., S. McAllister, et al. (2007). On the Effectiveness of Techniques to Detect Phishing Sites.
Detection of Intrusions and Malware, and Vulnerability Assessment. B. M. Hämmerli and
142
R. Sommer, Springer Berlin / Heidelberg. 4579: 20-39.
Ma, J., Y. Li, et al. (2008). Identifying Chinese E-Mail Documents' Authorship for the Purpose of
Computer Forensic. Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO
international workshops on Intelligence and Security Informatics. Taipei, Taiwan,
Springer-Verlag: 251-259.
Martin, S. (2007). International Field Report : Australia. 2007 APWG General Members Meeting.
Pittsburgh PA.
Organized Crime? Fourth International Conference on Web Information Systems and
Technologies. Funchal, Madeira, Portugal. 1: pp149-157
McCombie, S. (2008). Trouble in Florida: The Genesis of Phishing attacks on Australian Banks.
6th Australian Digital Forensics Conference. Perth.
McCombie, S. and J. Pieprzyk (2010). Winning the Phishing War: A Strategy for Australia.
Second Cybercrime and Trustworthy Computing Workshop, University of Ballarat.
McCombie, S., J. Pieprzyk, et al. (2009). Cybercrime Attribution: An Eastern European Case
Study. 7th Australian Digital Forensics Conference. Perth.
McMillan, R. (2006). "Gartner: Consumers to lose $2.8 billion to phishers in 2006."
Retrieved
20 March 2007, from http://www.pcworld.com/article/id,127799/article.html.
McMillan, R. (2006). "'Rock Phish' blamed for surge in phishing."
Retrieved 2 March, 2007,
from http://www.infoworld.com/article/06/12/12/HNrockphish_1.html.
Menn, J. (2010). Fatal system error: the hunt for the new crime lords who are bringing down
the Internet. New York, NY, PublicAffairs.
Messagelabs. (2009). "MessageLabs Intelligence: July 2009." from
http://www.messagelabs.com/resources/mlireports.
Miyamoto, D., H. Hazeyama, et al. (2005). SPS: A Simple Filtering Algorithm to Thwart Phishing
Attacks. Technologies for Advanced Heterogeneous Networks. K. Cho and P. Jacquet,
Moore, T. and R. Clayton (2007). Examining the impact of website take-down on phishing.
Proceedings of the anti-phishing working groups 2nd annual eCrime researchers
143
summit. Pittsburgh, Pennsylvania, ACM: 1-13.
Moura, G. and A. Pras (2009). Scalable Detection and Isolation of Phishing. Scalability of
Networks and Services. R. Sadre and A. Pras, Springer Berlin / Heidelberg. 5637:
195-198.
Naraine, R. (2006). "Return of the Web Mob." from
http://www.eweek.com/article2/0,1895,1947561,00.asp.
Naraine, R. and D. Danchev. (2010). "Google-China cyber espionage saga - FAQ."
Retrieved 2
May, 2011, from
http://www.zdnet.com/blog/security/google-china-cyber-espionage-saga-faq/5259.
Nazario, J. (2007). "Phishing Corpus." from
http://monkey.org/~jose/wiki/doku.php?id=PhishingCorpus.
Nomad, S. (2005). "Organized Cybercrime." from
http://www.dc214.org/notes/june_2005/dc214_sn_orgcrime.ppt.
Overseas Security Advisory Council (2009). Russia 2009 Crime & Safety Report: St. Petersburg,
Overseas Security Advisory Council.
Pamunuwa, H., D. Wijesekera, et al. (2007). An Intrusion Detection System for Detecting
Phishing Attacks. Secure Data Management. W. Jonker and M. Petkovic, Springer Berlin
/ Heidelberg. 4721: 181-192.
Parsons, M. (2004). "Twelve arrested for laundering phished funds."
Retrieved 1 September,
2009, from http://news.zdnet.co.uk/security/0,1000000189,39153687,00.htm.
Passerini, E., R. Paleari, et al. (2008). Detecting and Monitoring Fast-Flux Service Networks.
Detection of Intrusions and Malware, and Vulnerability Assessment. D. Zamboni,
Pfaffenberger, B. and D. Wall (1996). The 10 secrets for Web success : what it takes to do your
site right. Research Triangle Park, NC, Ventana.
Phair, N. (2007). Cybercrime : the reality of the threat. Kambah, A.C.T., Nigel Phair.
Plössl, K., H. Federrath, et al. (2005). Protection Mechanisms Against Phishing Attacks. Trust,
Privacy and Security in Digital Business. S. Katsikas, J. Lopez and G. Pernul, Springer
144
PRNewswire. (2006). "Microsoft Praises Bulgarian Authorities on Investigation and Arrest of
Alleged Phishing and Organised Crime Group." 2006, from
http://www.prnewswire.co.uk/cgi/news/release?id=162256.
Ramzan, Z. and C. Wueest (2007). Phishing Attacks: Analyzing Trends in 2006. CEAS 2007 - The
Fourth Conference on Email and Anti-Spam. Mountain View, California, USA.
Reuters. (2005, November 29, 2005). "Cybercrime now bigger than the drug trade." from
http://www.smh.com.au/news/technology/cybercrime-now-bigger-than-the-drug-trade
/2005/11/29/1133026443366.html.
Ridley, N. (2007). "Financial Crime Trends in Central and Eastern Europe." Economic Affairs
27(No. 1 March 2007): pp. 22-26.
Roth, M. P. (2010). Global organized crime : a reference handbook. Santa Barbara, Calif.,
ABC-CLIO.
Ryan, M., S. P. Savage, et al. (2001). Policy networks in criminal justice. Basingstoke, Hampshire
England ; New York, Palgrave.
Serio, J. D. (2008). Investigating The Russian Mafia. Durham NC, Carolina Academic Press.
Smith, R. G., P. N. Grabosky, et al. (2004). Cyber criminals on trial. Cambridge ; New York,
Cambridge University Press.
Soldatov, A. (2010). "Cyber wars."
Retrieved 1 March, 2011, from
http://www.agentura.ru/english/equipment/.
Stabek, A., S. Brown, et al. (2009). The Case for a Consistent Cyberscam Classification
Framework (CCCF). Ubiquitous, Autonomic and Trusted Computing, 2009. UIC-ATC '09.
Symposia and Workshops on.
Stamp, P. (2005) "Increasing Organized Crime Involvement Means More Targeted Attacks."
Forrester Research.
Sturgeon, W. (2006). "Analysis: A globetrotter's guide to cyber crime."
Retrieved 30 July,
2009, from
http://www.silicon.com/research/specialreports/ecrime/0,3800011283,39158777,00.ht
m.
Susilo, W. and Y. Mu (2006). Separable Identity-Based Deniable Authentication: Cryptographic
145
Primitive for Fighting Phishing. Public Key Infrastructure. A. Atzeni and A. Lioy, Springer
The Presidents Identity Theft Task Force (2007). Combating Identity Theft:
A Strategic Plan.
2007.
The Spamhaus Project. (2009). "The 10 Worst ROKSO Spammers."
Retrieved 21 July, 2009,
from http://www.spamhaus.org/statistics/spammers.lasso.
Thomas, J. H. (2008). Techcrafters and Makecrafters: A Comparison of Two Populations of
Hackers.
Topkara, M., A. Kamra, et al. (2005). ViWiD : Visible Watermarking Based Defense Against
Phishing. Digital Watermarking. M. Barni, I. Cox, T. Kalker and H. J. Kim, Springer Berlin /
Heidelberg. 3710: 470-483.
Transparency International. (2008). "Corruption Perceptions Index 2008." from
http://www.transparency.org/policy_research/surveys_indices/cpi/2008.
US Department of Justice (2008). Strategy to Combat International Organized Crime.
Varese, F. (2001). The Russian mafia : private protection in a new market economy. Oxford,
England ; New York, Oxford University Press.
deVel, O. (2000). Mining Email Authorship. KDD-2000 Workshop on Text Mining. Boston.
deVel, O., A. Anderson, et al. (2001). "Mining e-mail content for author identification forensics."
SIGMOD Rec. %@ 0163-5808 30(4): 55-64.
Volkov, V. (2002). Violent entrepreneurs : the use of force in the making of Russian capitalism.
Ithaca, Cornell University Press.
Walker, F. (2006). Gone phishing ... gangs using Aussie kids to steal millions. Sydney Morning
Herald. Sydney.
Wall, D. (2001). Crime and the internet. New York, Routledge.
Wall, D. (2003). Cyberspace crime. Aldershot, Hants, England ; Burlington, VT, Ashgate.
Warne, D. (2007). "Romania a global hotspot for eBay fraud." APC Magazine May 2007. from
Watters, P. A. (2002). "Discriminating English word senses using cluster analysis." Journal of
Quantitative Linguistics 9((1)): 77-86.
146
Watters, P. A. and S. McCombie (2011). "A methodology for analyzing the credential
marketplace." Journal of Money Laundering Control 14(1): 32-43.
Wilson, T. (2010) "More Than 80 Arrested In Alleged Zeus Banking Scam." Darkreading.
Winterford, B. (2007, 19 June 2007). "Westpac hit by DoS attacks." from
http://www.zdnet.com.au/news/security/soa/Westpac-hit-by-DoS-attacks/0,13006174
4,339278748,00.htm.
World Bank. (2007). "Education Statistics 2007 Version 5.3."
2007. from
http://web.worldbank.org/WBSITE/EXTERNAL/TOPICS/EXTEDUCATION/EXTDATASTATIS
TICS/EXTEDSTATS/0,,menuPK:3232818~pagePK:64168427~piPK:64168435~theSitePK:32
32764,00.html.
Zenz, K. (2007). Global Threat Research Report: Russia. iDefense Security Report. iDefense,
Verisign.
Zenz, K. (2007). Uncovering Online Fraud Rings: The Russian Business Network. iDefense
Security Report. IDefense, Verisign.
Zheng, R., Y. Qin, et al. (2003). Authorship analysis in cybercrime investigation. Proceedings of
the 1st NSF/NIJ conference on Intelligence and security informatics. Tucson, AZ, USA,
Springer-Verlag: 59-73.

Phishing the Long Line: Transnational Cybercrime From Eastern

Transcription

Similar documents

Of Interest

TRICK YOU - PCI Security Standards Council

Pfhishing 2008 07 21

Viruses, Worms, Spyware, Phishing, Pharming

Prevent Malware attacks with F5 WebSafe and MobileSafe

Paula Brennan, Greater Dandenong

10 things you must do about email security right now!

Global Phishing Survey: Trends and Domain Name Use in

nretpwoorrkt 2 o 1 2 securitye - SI-CERT