Phishing for your money
My grandmother has recently fallen victim to a bank phishing site. She got an email that looked completely legit but got suspicious when after filling it out it did not update her information like it was claiming to. She got it fixed before anything went missing but any way…
I got to thinking about this from the phishers point of view and I thought what good are these bank login details really? I mean sure they could transfer funds from each account they steal but they cant exactly transfer the funds directly into their personal bank accounts…
So how are they getting away with getting money out of peoples accounts?? Do they open a paypal account with bogus details and use that account to purchase goods or get cash(by buying a prepaid credit card etc.)?
I am contemplating writing my mid term paper on phishing so any insight into their methods of operation would help alot. It would be nice to write a paper on more than the typical boring definition of phishing paper. A paper with the type of detail I would like would definitely be something my teacher would enjoy reading and something I would be interested in learning about. I want to describe what happens to these details once stolen and how they can make a profit for the criminals who buy them. And I would like to describe why it is so hard to catch them, of course I need to know what it is they do to know this.
Anything like personal experience, interesting articles, news stories, video's similar to 'to catch an identity thief' etc., would all help tremendously… And speaking of to catch an id thief, why cant they arrest the people who are accepting goods bought with stolen credit cards shipped to their house constantly?
So you can use a stolen credit card to buy whatever you want and get it shipped straight to your house as long as you claim its being re-shipped to Africa?
Thanks for your time.
Phishing is a tough one. I don't quite get how people pull it off exactly, but I do to an extent. For the people who get things shipped to their house, they probably just say it was a gift. The people who steal bank account information, I believe they have accounts set up with someone elses account, or they have false information. It's kinda how you don't give your identity out online but to an entirely different level.
Phishing online to get someones account name and password is actually kinda easy and can be used to get peoples bank account, like happened with your grandmother, and can get more personal things that can really mess a person over. You just copy the script off of the page you want and when they put in their information and try to login you can have their information stored on the phishing site or many other things. It all fits together in the end.
I've had some experience with phishing in real life, but not any that I did. An example is at Defcon they had fake ATM machines set up with computers in them that stole your card number and they pretty much have full access to your bank account. Another example is somewhere out in Atlanta I believe people put scanners in legit ATM machines and stole information that way.
apescanfly223 wrote: My grandmother has recently fallen victim to a bank phishing site. She got an email that looked completely legit but got suspicious when after filling it out it did not update her information like it was claiming to. She got it fixed before anything went missing but any way…
I got to thinking about this from the phishers point of view and I thought what good are these bank login details really? I mean sure they could transfer funds from each account they steal but they cant exactly transfer the funds directly into their personal bank accounts…
So how are they getting away with getting money out of peoples accounts?? Do they open a paypal account with bogus details and use that account to purchase goods or get cash(by buying a prepaid credit card etc.)?
Well if you have all of a person's information, then it wouldn't be that difficult to open a credit card in their name, max it out, then move on to the next victim. Or the phisher can simply sell the personal information of the victim outright.
What's to stop somebody with all your information from becoming you? Not much, that's why identity theft is so prevalent.
I am contemplating writing my mid term paper on phishing so any insight into their methods of operation would help alot. It would be nice to write a paper on more than the typical boring definition of phishing paper. A paper with the type of detail I would like would definitely be something my teacher would enjoy reading and something I would be interested in learning about. I want to describe what happens to these details once stolen and how they can make a profit for the criminals who buy them. And I would like to describe why it is so hard to catch them, of course I need to know what it is they do to know this.
Anything like personal experience, interesting articles, news stories, video's similar to 'to catch an identity thief' etc., would all help tremendously… And speaking of to catch an id thief, why cant they arrest the people who are accepting goods bought with stolen credit cards shipped to their house constantly?
So you can use a stolen credit card to buy whatever you want and get it shipped straight to your house as long as you claim its being re-shipped to Africa? Thanks for your time.
I'm pretty sure that the criminals dumb enough to have stolen merchandise delivered to their house do in fact get caught. There is plenty of information available regarding phishing, and your question is fairly broad.
After reviewing my initial post I started to feel like my reply was more of a guideline to becoming a phisher so maybe you should start here: http://computer.howstuffworks.com/phishing.htm http://computer.howstuffworks.com/efencing.htm http://www.scmagazineus.com/phishing-declines-as-attackers-shift-strategy/article/147416/
There was another article I read today but can't seem to find about how phishing attempts are already underway regarding President Obama's healthcare speech yesterday.
Thanks for the replies guys. I understand the information that can be obtained through these stolen bank accounts can be bought and sold and used for all sorts of unscrupulous acts. But to be more specific the area I need help on is the following. Say the attackers successfully obtained my grandmothers details. And she had no clue her account was comprimised. They wouldn't leave any money she had in there, they would take it. How do they do this so they wont be caught?
For example: "They get away with credit card theft because they steal the details from across the ocean. They use cafe's for their internet so that the ip cant be linked back to them and they trick innocent people into accepting the stolen goods and re-shipping it to a general pickup point wherever they live, so they are never seen or have any direct contact with the stolen merchandise."
Then I have all bases covered for what happens to your information after it is comprimised. I did read there are multiple 'anonymous' money transfer companies, maybe thats how they do it? Or maybe an offshore bank account? I have no clue how this works but any more insight would be great.
A recent thing way of stealing someones money that I've seen lots of is setting up online gaming accounts were money is bet (such as poker) and then bringing the persons account into the game and loosing a fair chuck of money to an account you set up a while ago. Then you could play games with other people on both accounts to obscure it, and even have the money transfered over multiple accounts this way or then transfer it again through pay pal or donate money to a few random websites, one of them being yours. If you spread the money out enough, dont do it often, and change your methods often, it would become very hard to track someone through a network of mostly dead ends where money was transfered through many different accounts and pay methods. This way a majority of the money won't end up yours, but its one of the safest methods I've seen so far.
Another way it can be done, Theoretically is using eBay.
I set up two accounts, one being a seller account and another being an account with your grandmothers details and bank account details attached.
I put up for sale a phone or HDTV, something expensive. Buy it with the grandmothers account and send payment. On the sellers account I accept the payment and mark the goods as sent, Log back into the grandmothers account and mark it as Item received.
No goods exchanged hands but ebay don't know this. The money is transfered and the seller can claim complete deniability about everything, claiming he was just selling a phone and sent it out ect.
How well this would work, I wouldn't know. Proxies would have to be used so paypal/bank and ebay couldn't link the two accounts through the IP's that logged them in.
;D
The second link I posted: http://computer.howstuffworks.com/efencing.htm goes into using sites like eBay to fence stolen goods. It's basically what Mosh and Freq are talking about.
MoshBat wrote: eBay isn't used for fraud that much, paypal is usually required, and that's too much work to set up quickly…
You're right, that's why the more successful phishing scams are usually pulled off by a group of people. Each person performing a specific task to streamline the operation. One person trying to accomplish all the aspects of phishing would indeed be a tremendous pain in the ass.
Phishing Exposed: http://books.google.com/books?id=kRFKA7hkyUEC&printsec=frontcover&dq=phishing+exposed#v=onepage&q=&f=false
That book has all the information needed to write a report on phishing.
Goods can be delivered to a dropbox rented in a fake name, giving total anonymity for high value goods to be delivered. Kids can then sometimes be used to pick up the goods.
By offering a kid outside £20 to get a package out of a dropbox, if the kid gets caught he doesn't know who you are, if they don't get caught, they get £20 out of it.