HomeKnow your Enemy: Phishing

Further Observations - Fund Transfer

Sat, 08/16/2008 - 13:53 — drupal

Our research has also shed light on how phishers use captured information about bank accounts, for example, an account number with associated TAN (transaction number used in electronic banking). Since foreign currency transfers are monitored by most banks, phishers cannot simply transfer large amounts of money from one country to another without alerting the financial authorities. Phishers therefore have to use intermediaries to transfer money for them - in a two stage process the phisher transfers money from the victim's bank account to a bank account of an intermediary in the same country. The intermediary then withdraws the money from their bank account (less a percentage remuneration for providing the service) and sends it to the phisher, for example by surface mail. Of course, the intermediary could be caught, but as the phisher's money is already in transit they do not face too much risk and can easily change to channel their funds through a replacement intermediary. An example email demonstrating some of the financial structures behind phishing attacks is show below:

Hello!
We finding Europe persons, who can Send/Receive bank wires
from our sellings, from our European clients. To not pay
TAXES from international transfers in Russia. We offer 10%
percent from amount u receive and pay all fees, for sending
funds back.Amount from 1000 euro per day. All this activity
are legal in Europe.
Fill this form: http://XXX.info/index.php (before filling
install yahoo! messenger please or msn), you will recieve
full details very quickly.
_________________________________________________________

Wir, europ?ische Personen findend, die Bankleitungen
davon Senden/erhalten k?nnen unsere Verk?ufe, von
unseren Kunden von Deutschland. STEUERN von internationalen
?bertragungen in Russland nicht zu bezahlen. Wir
erh?lt das Prozent des Angebots 10 % vom Betrag und
bezahlt alle Schulgelder, um Kapital zur?ck zu senden.
Betrag von 1000 Euro pro Tag. Diese ganze T?tigkeit
ist in Europa gesetzlich.
F?llen Sie diese Form: http://XXX.info/index.php (bevor
die F?llung Yahoo installiert! Bote bitte oder msn), Sie
recieve volle Details sehr.

Thank you, FINANCIE LTD.

This is a poor translation from English to German, probably computer-generated, and it suggests that the attackers are not native English speakers. Since the money will be transferred to Russia, the attacker probably originated from this country. This behaviour is becoming increasingly common as phishing activities become more organised.