May 17, 2010

Phishing may not be the most sophisticated form of cyber crime, but it can be a lucrative trade for those who decide to make it their day jobs. Indeed, data secretly collected from an international phishing operation over  18 months suggests that criminals who pursue a career in phishing can reap millions of dollars a year, even if they only manage to snag just a few victims per scam.

Phishers often set up their fraudulent sites using ready-made “phish kits” — collections of HTML, text and images that mimic the content found at major banks and e-commerce sites. Typically, phishers stitch the kits into the fabric of hacked, legitimate sites, which they then outfit with a “backdoor” that allows them to get back into the site at any time.

About a year and a half ago, investigators at Charleston, S.C. based PhishLabs found that one particular backdoor that showed up time and again in phishing attacks referenced an image at a domain name that was about to expire. When that domain finally came up for grabs, PhishLabs registered it, hoping that they could use it to keep tabs on new phishing sites being set up with the same kit.

The trick worked: PhishLabs collected data on visits to the site for roughly 15 months, and tracked some 1,767 Web sites that were hacked and seeded with the phishing kit that tried to pull content from the domain that PhishLabs had scooped up.

PhishLabs  determined that most of the phishing sites were likely set up by a single person — a man in Lagos, Nigeria that PhishLabs estimates was responsible for about 1,100 of the phishing sites the company tracked over the 15 month experiment.

“This guy was setting up two to three new phishing sites each day,” Phishlabs founder and president John LaCour said. “If you accept conservative estimates, that this guy is stealing about 10 [sets of] banking credentials per phish, and that conservatively each of these stolen credentials causes $500 in losses, we’re talking about more than $4 million a year he’s probably making.”

When PhishLabs plotted the guy’s daily online activity, the resulting graph displayed like a bell curve showing the sort of hourly workload you’d typically see in a regular 9-5 job, LaCour said. “In the middle of the day he’s super busy, and in the mornings and evenings he’s not. So this is very much his day job.”

Successful though he may be, the Nigerian phisher spied on by PhishLabs is a small fry compared to some of the more organized phishing gangs in operation today. According to a report (pdf) released last week by the Anti-Phishing Working Group, an industry consortium, roughly two thirds of all phishing attacks in the second half of last year were the work one organized crime gang known as the “Avalanche” phishing operation. Incidentally, experts believe this is the same gang responsible for spamming out the copies of Zeus and other Trojan horse programs that have been used in the attacks on small businesses I have been chronicling for the past year.

13 thoughts on “Teach a Man to Phish…

  1. InfoSec Pro

    So did the Phishlabs folks eventually do anything to take this guy down? Or are they accessories before and after the fact of his on going thefts?

    Seems like the info they got would be actionable by law enforcement. At the very least they could and should be able to shut down the 1100 phishing sites, and also to notify the owners and hosts of the 1767 hacked sites to get them cleaned up and hardened against future attacks.

    1. John LaCour

      @InfoSec Pro –
      When we first noticed this fraudster, PhishLabs reported the criminal’s email address and name to the federal cyber-police in the country containing most of the affected banks. Unfortunately, we did not receive a response.

      One of the conclusions of our study is that phishing attacks, with some exceptions such as those related to the Avalanche botnet, tend to be treated as unique events when in fact an attack is often perpetrated by one of a small number of prolific phishers. The result is that phishing incidents are often not pursued by law enforcement (and not reported to law enforcement by the affected organization).

      Regarding notification of hacked site owners and shutting down phishing sites, we did report many of them to the affected site owner or service provider, but resource constraints dictate that we focus on the anti-phishing, anti-malware and other cyber-defense services we provide to our clients. Also, most of the attacks were independently discovered and pursued for shutdown anyway. That said, we do believe in doing as much as we can to help secure the Internet. Over the course of our history we have shutdown thousands of scam sites for free and recovered and reported literally millions of stolen banking credentials and compromised email accounts to the affected companies – also without charge.

  2. Arctic Hare

    “If you accept conservative estimates, that this guy is stealing about 10 [sets of] banking credentials per phish, and that conservatively each of these stolen credentials causes $500 in losses, we’re talking about more than $4 million a year he’s probably making.”

    Why are these reasoanable estimates? Why not an average of 5, or 20, or 100 or zero instead of 10 per phish? Why $500 per set of credentials? Mathematically I’d express the estimate thus:

    [Sites per year] x [Absolutely no clue] x [Absolutely no clue] = $4 million.

    1. BrianKrebs Post author

      @Arctic Hare: Check out last week’s story


      “After filtering the results, Hong said his team found roughly 200,000 hits on 1,285 URLs — or about 156 hits per URL — that were very likely clicks from people who would have given away financial data and/or passwords at phishing Web sites had those sites still been active at the time. That may seem like a lot of victims per phishing site, but while the average number of filtered hits per URL was 100-300 per month, the median is quite low, from 2-7 per month.”

      So 2-7 hits per phish might be more accurate, but even so, that’s pretty close.

      1. Arctic Hare

        OK, but then there are sanity check problems. Hong finds an average, not median, of 156 hits per site. The APWG found 126k sites for the second half of 2009:

        So that gives 156 x 126k x 2 = 39 million victims/yr and at $500 each phishing is a $19.6 billion/yr business.

        Unless we believe that there were 39 million victims last year either the APWG numbers are way off, or there’s a large bias in what Hong looked at.

        1. BrianKrebs Post author

          The bulk of the phishing scams perpetrated in the last year and measured by the APWG appear to have been the work of a single organized crime gang, and account for 2/3 of the phishing scams out there.

          I don’t think you can put the average phisher’s attacks in the same category of sophistication as these organized criminals.

          Also, Hong told me and indeed I reported that most of the phishing attacks he tracked had very few victims, between 2 and 7 victims per scam. That’s why stating what the mean and median are in any kind of analysis like that can be so important, because they can be radically different.

          Read the next paragraph in the story:

          “That means there are some really “successful” phishing attacks that many people click on, probably either because a huge number of spam e-mails advertising that fake site were sent, or because the phishing e-mails were particularly compelling. However, the majority of phishing campaigns appear to be quite unsuccessful, in that they don’t hook a lot of people, Hong said.”

          1. Arctic Hare


            You are hard to follow here. I agree that the median is a better estimate than the average of what a random small-timer makes. No dispute about that. But if we want to use Hong’s estimate of the median we need to know his sample is unbiased. The fact that it predicts 39 million victims/yr suggests that it is not.

            Hong says it’s a longtail phenomenon; but his analysis is based on 1285 sites, which is less than 1% of the sites that APWG reports for 6 mos. How do we know that this 1% is representative? If not, then this median is not a good estimate of the Nigerian guy’s return.

      2. Rick Zeman

        Well, hits don’t necessarily extrapolate to potential victims. I follow phishing links all the time (on a Mac, of course), usually to just check out its sophistication, or to just fill in the forms with few choice obscenities or three. 🙂

  3. QQ

    If cybercrime did not pay people would not commit it.

    I find it truly hard to believe that 1 guy is making 4 million US dollars a year while living in Nigeria. 4M$ in Nigeria is probably equal to 40-50M in USA, Having this sum in such a country means you can forget all your financial worries for good. Why keep going for 15 months?

    Statistics often lie and do not represent the reality, There are very few people (if any at all..) that made millions with spam,fake AVs, botnets,trojans or for this case phishing.

    It is likely possible to make a living with the income of being full time cybercriminal in a big cybercrime gang, but 1 guy in Nigeria, doesn’t sound true to me.

    1. Brandon

      Something to keep in mind, while its one guy in Nigeria, there is nothing to show he is the one keeping the money. He might be a very busy person who is good at creating fishing sites but he may only be getting 1%-2% of the total income, if that. He very well could be part of a larger crime syndicate.

      I agree with you that its very doubtful he is getting all of the proceeds from his work. Even half would make him extremely noticeable by the local governments and authorities.

      Its hard to make an educated guess of the structure beyond the stats gathered in this study, I still find the study interesting and informative but its hard to say beyond what this person does, what sort of organization is behind this, if this truly a one guy operation and how much he actually gets from the proceeds.

      1. KFritz

        Agreed. OP’s skepticism seems automatic, ad hominem.
        That said, 1)Phishlabs concept is excellent, 2)they exercised due diligence reporting their work to officialdom and enterprise,3) but they’re not criminologists or financial analysts, so the monetary estimates can’t be considered gospel.
        Also, whether individual or group, it’s plainly a day job for person/people w/ regular work habits.

    2. AlphaCentauri

      It may not all be for personal use. He may be raising money for a military or terrorist organization within Nigeria (where there are frequent attacks against petroleum industry targets) or in neighboring countries. Being a warlord and feeding an army isn’t cheap.

      Also, do we know for certain he’s in Nigeria himself, rather than using a proxy located there?

  4. KFritz

    My favorite graphic, at least since Security Fix became KrebsonSecurity! Love the treble hook.

Comments are closed.