Also, do we know for certain he’s in Nigeria himself, rather than using a proxy located there?

Like or Dislike: 2  2

@BrianKrebs

You are hard to follow here. I agree that the median is a better estimate than the average of what a random small-timer makes. No dispute about that. But if we want to use Hong’s estimate of the median we need to know his sample is unbiased. The fact that it predicts 39 million victims/yr suggests that it is not.

Hong says it’s a longtail phenomenon; but his analysis is based on 1285 sites, which is less than 1% of the sites that APWG reports for 6 mos. How do we know that this 1% is representative? If not, then this median is not a good estimate of the Nigerian guy’s return.

Hot debate. What do you think? 4  4

Well, hits don’t necessarily extrapolate to potential victims. I follow phishing links all the time (on a Mac, of course), usually to just check out its sophistication, or to just fill in the forms with few choice obscenities or three.

Well-loved. Like or Dislike: 8  1

The bulk of the phishing scams perpetrated in the last year and measured by the APWG appear to have been the work of a single organized crime gang, and account for 2/3 of the phishing scams out there.

I don’t think you can put the average phisher’s attacks in the same category of sophistication as these organized criminals.

Also, Hong told me and indeed I reported that most of the phishing attacks he tracked had very few victims, between 2 and 7 victims per scam. That’s why stating what the mean and median are in any kind of analysis like that can be so important, because they can be radically different.

Read the next paragraph in the story:

“That means there are some really “successful” phishing attacks that many people click on, probably either because a huge number of spam e-mails advertising that fake site were sent, or because the phishing e-mails were particularly compelling. However, the majority of phishing campaigns appear to be quite unsuccessful, in that they don’t hook a lot of people, Hong said.”

Well-loved. Like or Dislike: 6  1

So that gives 156 x 126k x 2 = 39 million victims/yr and at $500 each phishing is a $19.6 billion/yr business.

Unless we believe that there were 39 million victims last year either the APWG numbers are way off, or there’s a large bias in what Hong looked at.

Like or Dislike: 4  3

My favorite graphic, at least since Security Fix became KrebsonSecurity! Love the treble hook.

Hot debate. What do you think? 6  3

Agreed. OP’s skepticism seems automatic, ad hominem.
That said, 1)Phishlabs concept is excellent, 2)they exercised due diligence reporting their work to officialdom and enterprise,3) but they’re not criminologists or financial analysts, so the monetary estimates can’t be considered gospel.
Also, whether individual or group, it’s plainly a day job for person/people w/ regular work habits.

Well-loved. Like or Dislike: 6  2

Something to keep in mind, while its one guy in Nigeria, there is nothing to show he is the one keeping the money. He might be a very busy person who is good at creating fishing sites but he may only be getting 1%-2% of the total income, if that. He very well could be part of a larger crime syndicate.

I agree with you that its very doubtful he is getting all of the proceeds from his work. Even half would make him extremely noticeable by the local governments and authorities.

Its hard to make an educated guess of the structure beyond the stats gathered in this study, I still find the study interesting and informative but its hard to say beyond what this person does, what sort of organization is behind this, if this truly a one guy operation and how much he actually gets from the proceeds.

Well-loved. Like or Dislike: 12  0

If cybercrime did not pay people would not commit it.

I find it truly hard to believe that 1 guy is making 4 million US dollars a year while living in Nigeria. 4M$ in Nigeria is probably equal to 40-50M in USA, Having this sum in such a country means you can forget all your financial worries for good. Why keep going for 15 months?

Statistics often lie and do not represent the reality, There are very few people (if any at all..) that made millions with spam,fake AVs, botnets,trojans or for this case phishing.

It is likely possible to make a living with the income of being full time cybercriminal in a big cybercrime gang, but 1 guy in Nigeria, doesn’t sound true to me.

Hot debate. What do you think? 8  5

@InfoSec Pro -
When we first noticed this fraudster, PhishLabs reported the criminal’s email address and name to the federal cyber-police in the country containing most of the affected banks. Unfortunately, we did not receive a response.

One of the conclusions of our study is that phishing attacks, with some exceptions such as those related to the Avalanche botnet, tend to be treated as unique events when in fact an attack is often perpetrated by one of a small number of prolific phishers. The result is that phishing incidents are often not pursued by law enforcement (and not reported to law enforcement by the affected organization).

Regarding notification of hacked site owners and shutting down phishing sites, we did report many of them to the affected site owner or service provider, but resource constraints dictate that we focus on the anti-phishing, anti-malware and other cyber-defense services we provide to our clients. Also, most of the attacks were independently discovered and pursued for shutdown anyway. That said, we do believe in doing as much as we can to help secure the Internet. Over the course of our history we have shutdown thousands of scam sites for free and recovered and reported literally millions of stolen banking credentials and compromised email accounts to the affected companies – also without charge.

Well-loved. Like or Dislike: 38  2