THE GUERRILLA BAZAAR: Lessons from Phishing Networks
Christopher Abad, a research scientist at Cloudmark (a spam filtering company) has done some amazing analysis on the phishing marketplace. Phishing is a method of identity theft that uses fake e-mails and bogus websites to entice unwary consumers to disclose financial information (account details, credit card numbers, personal data). This data is captured and used in financial fraud. It is a big business. To deconstruct a phishing network Christopher used an automated data collection system that monitored chat rooms and activity on compromised servers. He found that the network consisted of loosely affiliated groups with lots of horizontal specialization rather than vertically integrated gangs. He proposed the following structure for the phishing micro-economy (see diagram for more detail):
- Automated unregulated chat rooms. This network, often controlled by bots (code that automates activities and allows remote management), provides the basis for marketplace. It provides an efficient and secure method for discovering information and conducting transactions.
- Specialists: Mass e-mailers. Those individuals that specialize in sending large volumes of e-mail (sometimes through worm enabled bot networks). These e-mails initiate contact with the consumer. Template providers. Design specialists in creating the look and feel of financial institution e-mails and websites. Server managers. Individuals that can compromise Web servers and operate them remotely without detection. These servers collect information from consumers.
- Cashers. Buyers of financial information that can use it to generate bogus ATM cards and other financial frauds.
The 21st Century criminal economies like the phishing economy seen above demonstrate the same degree of decentralized self-organization we see in the market for IED (improvised explosive devices) manufacture/deployment in Iraq. Both markets aren't controlled by any single gang, or even a collection of gangs. Instead, they consist a large network of individuals (and or small groups) that trade, sell, share, and collaborate to make money and generate desired effects. Additionally, both networks exhibit strikingly high levels of:
- Efficiency. The costs for component services are low and very competitive. Financial information can cost as little as $0.50 a record. Emplacement of an IED can cost $50.
- Innovation. New methods of attack and new target sets are constantly being discovered. Both groups rapidly leverage open Internet information to refine their target set. For example: In the case of phishing, the security community's chatter provides insight into corporate vulnerabilities and exploits. Iraqi guerrillas use Google maps to plot ambushes and IED emplacement.
- Resiliency. Able to resist discovery and network-wide collapse. One major factor in their resilience is their ability to transcend national boundaries and leverage a lack of local organic control (street level enforcement).
The arrival of these "black" networks have the following ramifications:
- Network wars. These networks are not a single entitiy. They can go to war. For example: Russian bot farmers recently attacked (denial of service) Chechen web sites in retaliation for terrorist activity against Russian targets.
- Generic networks. Skill sets from one network type can transfer to the other. The same technologies and techniques used for phishing and other criminal networks can be used to improve the efficiency of terrorist networks and provide a means of self funding. Generic networks that combine criminal enterprise and terrorist/guerrilla activity are growing. We see this in Iraq today with the fluid market for hostages.
- Rapid Growth. As global connectivity increases, the Gap increases faster than the Core (or non-state vs. state). A growth of a global community of virtual TAZs (temporary autonomous zones) will use technology to rapidly expand gaps generated transnational barriers to coordination and areas of local chaos. The lowest common denominator applies and these autonomous areas can be rapidly exported globally, including to those areas currently under state control.
Congratulations, John. You made Abad's bibliography.
The following is a more direct link to Abad's research:
http://firstmonday.org/issues/issue10_9/abad/
Posted by: vox | Tuesday, 15 November 2005 at 03:18 PM