% fortune -ae paul murphy

Using mail for phishing

The standard phishing scams still catch enough people to justify the small costs and low risks involved - but there's a better way.

From the bad guy's perspective traditional phishing has costs and benefits. On the cost side there's a few hundred dollars to get a million name target list, a few dollars to handle the emailing, either some real effort or few thousand dollars to get the website and related scam components set-up, and some risk of prosecution.

The benefits have been gradually decreasing as phishing's succcesses have made people more aware of internet banking risks: where five years ago a few thousand people might respond to a million name emailing, phishers now get a few hundred -and because the internet sophistication displayed by those who fall for these scams is corelated with income, there's usually less to steal too.

Worse, the liklihood of prosecution has been going up - or, more precisely, law enforcement has steadily reduced the harvest window: the interval from sendout to having to shut down the servers and scuttle for cover.

So what's a phisher to do?

My wife just received a letter from our friendly national bank card carrier that included a new credit card, the information that one of our cards had been compromised, and the 800 number to call to activate the replacement.

Activation required knowledge of the old card number, it's expiry date, the recognition code, and the two digit check code - everything a phisher needs to strip the account.

The overall process wouldn't be hard to phish. Since you can buy card holder name lists that have pretty good accuracy for a few thousand bucks, printing up 100,000 fake cards, sending them out, and manning an 800 line that redirects somewhere the cops don't want to co-operate with American or international police agencies - like Cuba, Syria, or Venuzuela - might cost the bad guy a grand total of maybe four hundred thousand up front and about a quarter of that for the next 100,000.

That might sound like a lot - but my guess is the card companies would be extremely lucky if one card holder in ten checks the 800 number in the letter against the real one - and a phishing operator in Haiti is not distinguishable by accent or mannerism from the real thing in Bangladore.

Worse, although using snail mail runs the bad guy afoul of more laws and takes longer, the scam is almost certainly safer overall because it would take the banks and police forces much longer to respond effectively - after all, what's a bank going to do: use email or telemarketing to warn its customers about the scam?

As it turned out the letter we got was naive but genuine - but your next one may not be because sooner or later some bad guy is going to do this - and take at least a few hundred dollars from each of tens of thousands of victims.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.