How Many Spams Can a Scammer Scam If a Spammer Can Scam Spams?
See if you can say that headline three times fast. I absolutely love the scamming-the-scammer stories because they're generally so convoluted that they're almost funny (that is, if you can forget for a moment that there are thousands of victimized consumers involved.)
The latest tale of deceit and intrigue from the criminal underground comes from CipherTrust, an e-mail security company based in Alpharetta, Ga. The company monitors online spam and fraud forums to keep up with the latest junk e-mail trends, and some discussions the company's experts spotted over the weekend indicate that "carders" -- or individuals who deal in stealing, selling and/or cashing in on stolen credit card data -- are starting to break into the spam-scamming business.
According to CipherTrust, some carders are signing up as spammers. But instead of sending out any spam, the carders use stolen credit-card information to purchase products from whoever is running a spam operation, like an online pharmacy or a pirated software business. By generating more sales to the spam operation, the carders can earn a cut of the sales.
Normally, the way a spamming outfit works is that a "sponsor" organizes the entire operation: He obtains a product or creates a service to "sell" via spam, then sets up the Web sites and the powerful Internet servers that keep the spam sites online under heavy traffic loads (or attacks from anti-spam vigilantes). The sponors also creates the merchant accounts needed to process credit card transactions for the goods that will be advertised through spam e-mails. The sponsor then hires a bunch of spammers who manage the actual sending of millions of spam e-mails (the spammers generally use targeted e-mail lists and send the spam through personal computers that have been infected with a computer worm that configures them to relay junk e-mail.) In most spam operations, the sponsor will pay a spammer between 40 and 50 percent of all sales that a spammer's e-mail campaign generates. So if an e-mail sent by a spammer generates $200 in sales at a online drugstore, that spammer makes between $80 and $100 off of that purchase.
Sounds like a match made in scammer heaven, right? The carders generate extra sales, and everyone involved takes a bigger cut. But in reality, the spam sponsors are getting scammed. When carders charge up lots of activity, it causes serious problems for the sponsor, who all of sudden has to deal with a much higher percentage of chargebacks when fraud victims find boxes of generic Viagra stuffed into their snail-mailboxes before they even discover that a credit card has been compromised. Chargebacks also mean higher credit-card processing fees and draw unwanted attention from merchant account operators, banks and law enforcement.
"Basically, we're seeing the carders and phishers starting to look for other ways to make money and starting to discuss new methods of making profits from their scams," said Dmitri Alperovitch, a research scientist with CipherTrust.
The truth is that in the online criminal underground, there is honor among thieves -- and even fairly intricate systems for checking on fellow crooks to make sure they're not going to rip you off or (worse yet) get you busted. In any scam, be it spamming, phishing (impersonating trusted online sites), or carding (squeezing actual goods or cold hard cash out of stolen credit card accounts), the greatest risk comes from dealing with unfamiliar criminals. These are the individuals -- often teenagers -- who think they can outfox other scammers or game the system. And just like in real life, the system always adjusts, adopting new mechanisms for separating the respectable scammers from the "rippers."
At any rate, it occurred to me that we may actually have a scam that the PR folks at various security companies haven't yet managed to label with an oh-so-clever name. So perhaps you can coin the next security slang-word. "Philching" maybe? "Pharding?" Use the comments section below to weigh in with your ideas.
By Brian Krebs |
May 23, 2006; 2:21 PM ET
Fraud
,
From the Bunker
,
Misc.
Previous: Microsoft: Hackers Exploiting Unpatched Flaw in MS Word |
Next: Mozilla to End Support for Older (1.0.x) Firefox Versions
Posted by: Patrick | May 23, 2006 4:07 PM
Pharding? Come on. Where the heck did Phishing come from anyway? Yeah, I know Password Harvesting, but I think the IA business should shy away from these cutsie media-esque terms like phishing, pharming, 'zero-day' and 'in the wild.' It's already hard enough to people to agree on what exploit, vulnerability and risk are.
Call it what it is. E-commerce fraud. e-Fraud if you have to use a catch phrase. More accessable than Pharding. Pharding? Jeez.
Posted by: Tim Bilbro | May 23, 2006 4:28 PM
Tim, that naming thing was meant to be sort of a joke, and not really the point of the whole post, just an aside. I don't much like those terms either. Still, just because it's childish shouldn't stop us from having a little fun...or should I say, phun.
Posted by: Bk | May 23, 2006 4:35 PM
But instead of sending out any spam, the carders use stolen credit-card information to purchase products from ***whoever*** is running a spam operation, like an online pharmacy or a pirated software business.
from ***WHOMEVER***
Posted by: preston | May 23, 2006 5:22 PM
Interesting story, thank you Brian.
Posted by: DOUGman | May 23, 2006 5:40 PM
how does the green grass grow? how should I know?
Posted by: Anonymous | May 23, 2006 7:03 PM
i found the answer. please resend.
Posted by: Bk | May 23, 2006 7:42 PM
Just Digged this - maybe some one will come up with a good name
http://digg.com/security/Scammers_who_Cheat_Spammers_-_Latest_Tactic
Posted by: Search Engines Web | May 23, 2006 11:56 PM
Very interesting post, Brian. This reminds of the movie "Donnie Brasco" where Pacino's character is explaining to Depp's the difference between "a friend of mine" (a connected guy) and "a friend of ours" (a made man). Is online crime going to become more organized due to the risk of dealing with unknown fellow unknown scammers? It seems that they may end up facing the same problems with trust and identity that financial instituions are struggling with. How ironic would it be if they come up with a good identity solution before the banks do.
Posted by: Qian Wang | May 24, 2006 11:22 AM
Spam and scams are horribleI use an Apple computer and the spam scam fols are looking for you Microsoft users
Posted by: William D. Tomany | May 24, 2006 1:36 PM
preston:
But instead of sending out any spam, the carders use stolen credit-card information to purchase products from ***whoever*** is running a spam operation, like an online pharmacy or a pirated software business.
"whoever" is correct. It is in the nominative case because it is the subject of "is running a spam operation."
Posted by: SL | May 24, 2006 2:11 PM
I hate fraud in any form. However, scamming is as old as mankind. For a great fiction book about casino fraud, check out DEADMAN'S POKER. As a 70ish year-old retired teacher, I am intrigued by the amount of work that goes into scams. If the scumbags would put as much time in on reputable businesses, how much better this ol' world would be.
Posted by: Susan Dawson | May 24, 2006 3:39 PM
I think I have just become the victim of a new form of internet fraud. Somebody hacked my web site and uploaded an ebay phishing mask and then sent out emails referencing that mask at my domain. The page was up at the most 10 hours before I shut it down. However the next day I was threatened by fax to be taken to court for $3000.00 plus maybe jail time. I was offered to settle for $250.00. Supposedly my domain is connected with the domain that collects the data from the phishing form. Anyway, I am a bit suspicious here, seems like the people that want me to bilk over $250.00 are in cahoots with, or the same as the hackers. Has anybody heard of similar stuff before?
Posted by: Michael B. | May 31, 2006 8:55 PM
Pardon for that, but i found new site about custom motorcycle , and wanted to give it A+, just check it: http://iq-automotive.org/custom-motorcycle2
Posted by: custom | October 3, 2006 10:15 AM
The comments to this entry are closed.
Pscamming, maybe Pscimming. I think I like Pstinging (after the movie "the Sting") the best.