How to Commit Cyber Fraud: The Phising Expedition
Phising attacks are used to steal information, particularly debit and credit card information. I have used this kind of cyber fraud in enriching myself even if this is a criminal talent. I consider it a legitimate job but actually it involves stealing other people’s money. Most of my victims are organizations, banking and financial institutions. These organizations are earning millions and billions of dollars, while I only need a portion of the lion’s share.
This essay was conceived for the purpose of presenting it to my teacher and not to commit a crime. My major objective is to inform others how cyber criminals steal data from users with the use of emails and websites. I have to make this narration as dramatic as possible.
Cyber crime is a new way of committing a crime. I mastered this art such that I don’t get caught easily. Sometimes, after stealing money from other accounts, I close my bank account, get all the cash and spend it alone wherever I enjoy.
I have worked with Trojans and malicious software for quite some time now. After graduation from a computer programming course, I found myself employed in a financial institution and it was there that I enriched my knowledge on how the institution authenticates customers’ accounts. I studied carefully the rules of the game, and with my knowledge in programming I learned how to transfer accounts by means of malware and Trojans. I can transfer contents of users’ accounts to my account. When I perfected this skill, I resigned from my job and became self-employed.
First of all, I have my own security measures installed. I don’t reveal my true identification, nor provide personal information in bank or credit applications. As much as possible, I use several aliases. My accounts for my emails also bear false information and I use internet cafes in my daily browsing. I have my own personal computer which is not in my residential address.
Phising uses malicious codes but there are software programs that detect malicious codes, so the best way is to make your code less visible to experts employed by banks and financial institutions, whose main job is to trace malicious code like mine. One significant malicious code that I have propagated is the Trojan. As we know, the Trojan horse got its name from Greek mythology as a form of a gift, but inside this wooden horse were soldiers whose mission was to destroy and seize the city Troy. Now, inside cyber world, Trojans are used to retrieve data purposely to get financial information or to circulate it to inflict damage on whoever owns that information. The purpose is to retrieve data, or destroy the organization’s financial data.
I can use several stages to avoid detection. The organization I am planning to attack may not detect it even if it has sophisticated anti-malware software because I am targeting its customers, the people who provide life to the organization. This is attacking indirectly the organization by way of attacking its customers.
The application of malicious code is increasing because cyber world is growing, and there’s a lot of money in this virtual world. Phishers and malicious code attackers target ‘areas’ in the virtual world where there is a lot of money, or where there is information on credit and debit cards. The existence of this form of commerce has motivated hackers and ‘cyber thieves’ to increase and propagate. Banks and financial institutions also have sophisticated anti-hacking software, so that it is difficult to retrieve information from these high-profile institutions. Once I am able to circumvent the institution’s sophisticated software, I have to create new variant and might be able to sell the information to others. To be successful in retrieving information from financial institutions is a feat and only a few attackers succeed. This can provide me higher returns as there will be less competition in this area. Verisign iDefense is an organization with software that detects some of my attacks. I have to make my phising expeditions more discreet and sophisticated to be able to evade from iDefense which sees attacks focusing on financial institutions, banks, and even auction sites.
I am very resourceful in this kind of job because it requires a lot of skill and perseverance. The Trojan is designed to steal valuable financial information. This personal information is confidential data that describes the users’ background and other financial details.
Personal information can be useful in retrieving passwords since some people use their date of birth in providing passwords for their accounts. Credentials are sometimes useless as banks and financial institutions increase their security methods through advanced authentication systems. When this is the case, I am left with retrieving supporting information.
Before I attack, I provide the objective, i.e. whether to steal money or to just create chaos on the organization. Stealing money is the best move. I have to execute my scheme in a step-by-step process in stealing money from an organization.
Let me describe one activity that I usually do. There is one scheme called distribution, which is an activity of making malicious code done in several ways that can provide a great amount of success while the target will have no chance of ‘escape.’ Distribution is not just like infection, although both have the same objective. My ultimate goal is to infect the victims with malicious code. The strategy involves separate users in the distribution and infection processes. I can use spam attachments or provide malicious code, and distribute through IFrames. IFrames (or inline frames) can be used to load content and are described by pixel size, for example 0 x 0. The use of IFrames is a wonderful idea because this technology can distribute malicious code to steal a lot of money. But IFrames involve several middlemen in the attack who may come from different distant places or countries. Trojan is what I like to describe here.
Distribution is a method used to infect by means of malicious code where service providers are tapped for this purpose. Distribution is effective if I am able to infect malicious code on the user’s system. Sometimes I distribute engineering attacks to a number of users. Sometimes I’m successful in retrieving financial information from many users, all at the same time. This is the power of the Trojan. Successful infection means social engineering does not anymore work on the users I attacked, and my attacks have intercepted users by means of spam. Their anti-virus was defeated by my Trojan.
I can make money out of stolen data by selling them. Just like real thieves, I sell everything I have stolen, from credit and debit card numbers, account numbers, account credentials, or even individual transactions between users that I come across with. I have ready buyers for the voluminous data I have stolen. These buyers may be individuals or organizations whose businesses also involve stealing information. In this kind of job, I perform sometimes as actual thief or middleman, whatever makes me money. I target financial institutions because all of their data are useful to me. The data that are not useful can still be sold to people with the same ‘career’ as mine. I have no means to move stolen money in large amounts and conduct clandestine operation with people under me. The simplest thing to do is to sell accounts and credentials retrieved from my Trojans.
The last stage of my operation is to convert the fruits of my labor into cash. I have devised ways to convert stolen accounts and information into money. Credit and debit card transactions are universal. These are done in many parts of the world. Although security measures to prevent credit and debit frauds have been in place even before internet commerce became popular, I have learned that only a few have been caught. This is what inspires me to commit more frauds over the internet, or send my Trojans to wherever they can provide me with lots of information and more money. I use stolen credit cards to get money. This is what we call “carding.”
There are several steps in storing and retrieving confidential information. The username and password technique still works in some organizations, but big organizations use complex methods of authentication. I have to counter this method. I send Trojans that will operate on whatever authentication institutions inject in their systems. I know institutions are studying how Trojans work; I do the same to them. I study their every move as I make myself less visible to them.
I also use information-stealing software known as keystroke logging which records the keys pressed on the keyboard. Data are produced by the letters, including spaces, line breaks, and backspaces. Keystroke can be attached to a Trojan and other technologies like remote administration tools (RATs). Keystroke logging has been popular using Trojans, like BackOrifice, Netbus, and SubSeven. Trojans have installed keyloggers to collect voluminous stolen data. But there are limits to keystroke logging since it cannot steal ‘form data’ in Websites although it still can give me a lot of information. When my infected victims type their credit card number and personal information on an e-commerce site, I have their log-in information in my record.
My Trojan can also take screenshots and capture mouse movement. But many banks use virtual keyboards which use applets or scripting languages that Trojans cannot copy. Trojans are also used to retrieve passwords and usernames from sites using protected storage system. As financial organizations require digital certificates from their users, Trojans are also designed to steal certificates from victims. In my years of experience, I attack every known authentication system of banks and financial institutions. Most Trojans steal data from banks that I do not intend to steal. When I am able to steal data that I do not need, I simply resell them.
One type of Trojan that I have been introduced with is known as the Nanspy which also victimizes financial institutions. This Trojan is produced in a generic Internet Relay Chat (IRC) ‘bot’ which adds keystroke logging. It is distributed by services like IFrameCash and victimizes banks in the United States, Australia, New Zealand and the United Kingdom. I have not expanded my criminal operation outside the United States, so my banks are confined in this country.
I also use a Trojan that prevents anti-virus from functioning. Pinch is an enemy of Windows Firewall and Kaspersky anti-virus. Pinch3 Gate provides codes on the internet or emails, or both. Pinch is simple, effective, and has wider uses. It obtains information from many programs of users and websites. Stolen accounts can be used in hosting malicious codes. There are many malicious codes mistaken to be Pinch although they do not come from the Pinch toolkit. The fact is they contain similar features that anti-virus sellers detect.
Trojans are very useful to me and have given me enough funds to proceed with my other operations. I will continue these phising attacks because authorities have not discovered me and it is less likely that they will uncover my activities in the near future. For as long as there are debit and credit cards used in ecommerce, I will continue my phising expeditions. There are other generic techniques that I will continue; one of these is grabbing which allow me to capture important information from financial institutions. I will use my Trojans to circumvent whatever means of authentication institutions have devised, for example the two-factor authentication. Authentications and anti-viruses will still have to defeat my Trojans. There is an exciting world in cyber space.