Phishing Supply Chain

By | May 16, 2006

I was in Helsinki last week to talk about phishing at an IT security conference, and after presenting a slide that shows the ´supply chain´ of phishing, one of the attendees asked if I would describe phishing as organized crime.

My answer was that it wasn´t anything of the sort. It might look like an international version of good old organized crime, and it´s certainly not the one-man-hacker-show it used to be a few years ago, but there´s nothing orchestrated about phishing or, for the matter, online financial fraud.

Email collection is self explanatory: someone has to harvest the Internet for email addresses to which a fraudulent email–the first step in any phishing attack–is distributed. Some harvesting techniques involve the use of automatic tools that surf the Net and look for new email addresses, for example in forums and user groups. Other techniques are more sinister: anything from hacking into databases to stealing email addresses directly from your Outlook. The result is a CD full of email addresses that anyone can buy for a few dollars so they can launch a shady spam campaign or, in our case, a malicious phishing attack. So if you´re a phisher, that´s the first thing you need.Read Full Story

Leave a Reply