Phishing gets sophisticated goes international

Phishers have targeted users of Apple Inc.’s iTunes music store with sophisticated identity theft attacks for the first time (Computerworld, Gregg Keizer May 20, 2008).

People began receiving spammed messages yesterday telling them that they must correct a problem with their iTunes account, said Andrew Lochart, an executive at e-mail security vendor Proofpoint Inc.

A link in the spam leads to a site posing as an iTunes billing update page; that phony page asks for information, including credit card number and security code, Social Security number and mother’s maiden name.

According to PC World Cloudmark, an anti-spam company, put the word out about a new type of email phishing scam targeting banking customers. These fake emails don’t provide a URL for you to click–you’re much too smart for that. Rather, they provide a phone number, which calls into a voice mail system that asks for your account number.

According to Cloudmark, what’s new here is the criminal use of VoIP and PBX (private branch exchange) software to set up a voice-mail system that sounds like your bank. The process is cheap and easy, thanks to VoIP and open-source PBX software such as Asterisk. The same low-cost setup that’s enabling small businesses to sound professional is enabling small-time scam artists to do the same.

They had quite a gig going, until a coalition of feds and foreign partners busted it up.

In a pair of related cases announced on Monday, a total of 38 people with links to global organized crime—mostly working out of Romania and the U.S., but also operating in Pakistan, Portugal, and Canada—were indicted for engineering a decidedly 21st century cyber-based scheme.

It was rooted in what has become a fairly routine online crime: “phishing,” a form of cyber seduction where you get an e-mail that looks like it’s from your bank or another trusted institution but is really a way to con you into giving up personal information (PINs, social security numbers, credit card information, etc.)…along with its up-and-coming second cousin, “smishing,” which carries on the same ruse via text messaging.

But what these criminals allegedly did—at least in the case based in Los Angeles—took this scheme a few steps farther, giving the online scam a clever offline payoff and ultimately swindling thousands of people and hundreds of financial institutions out of millions before being shut down.

Here’s how it generally worked:

Fraudsters working primarily out of Romania—known as the “suppliers”—went phishing and obtained thousands of credit and debit card accounts and related personal information by sending out masses of spam. 
These suppliers then sent their ill-gotten financial data to their partners in the U.S.—so-called “cashiers”—through Internet chat and e-mail messages.
By using some sophisticated but readily available software and technologies, the cashiers manufactured their own credit, debit, and gift cards encoded with the stolen information, giving them unfettered access to large amounts of money via ATMs and point-of-sale terminals. 
Before these cards were used, cashiers directed “runners” to test the cards by checking balances or withdrawing small amounts of money from ATMs. Then, these “cashable” cards were used on the most lucrative accounts. 
To bring the scheme full circle, the cashiers wired a percentage of the illegal proceeds back to the suppliers.

Show on map