Phishing the long line: transnational cybercrime from Eastern Europe to Australia

The purpose of this research is to examine the involvement of Eastern European cybercrime groups (EECGs) in phishing and related cybercrime impacting Australia. Then, given those findings, explore what can be done to reduce the problem. Research focuses on the Australian experience but in the context of what is a global problem. This thesis is organised into six chapters. -- The first chapter sets out the aims and scope of the study, and the structure of the thesis. It explains the background to the problem from a historical, political, technical and legal perspective. It also reviews the Phishing literature. -- In the second chapter, the money laundering aspects of this crime are examined. To recover the proceeds of the fraudulent transactions the attacker must direct the funds firstly to an Internet money mule within Australia. The Internet money mule is then directed to wire the money overseas using a service such as Western Union. The demographic profile of Internet money mules that are used for this activity is explored through the examination of archival data. The data was obtained from one Australian financial institution and related to 660 Internet money mule incidents during 2007. Additionally, data was also obtained from the High Tech Crime Operations section of the Australian Federal Police detailing the laundering of proceeds of Phishing in Australia to overseas locations for the period from September 2004 to October 2010. It shows a significant majority of those transactions were directed to Russia and other states of the former Soviet Union. -- In the third chapter, an ethnographic study of EECGs is conducted including a major case study of the first Internet Bank phishing attacks in Australia in 2003. This identified a number of Ukrainians who were instrumental in these early attacks and their methodology. These attacks were the first of their kind globally. The chapter also examines why these countries have an environment which favours this activity. -- In the fourth chapter, the cybercrime marketplace, which supports phishing and related cybercrime by providing a market for the various tools needed for phishing and the proceeds of that cybercrime, is examined to further explore the modus operandi of these groups. From analysis of data from two Internet Relay Chat (IRC) channels used for this trade an initial methodology for further understanding of how compromised credentials are traded in online marketplaces is developed. -- In the fifth chapter, phishing artefacts are examined to establish links between attacks and any featurs, which might indicate the source is Eastern Europe. This research looked at data available from one Australian financial institution for July 2006. In this work an e-mail archive and response records for 71 unique Phishing incidents were examined with a view to ascertain whether incidents could be grouped by attacker. This work revealed that six identified groups accounted for all but two of the incidents. Three of the groups accounted for 61 of the 71 incidents. In addition, an apparent work schedule by day and time was established consistent with a European time zone. -- In the sixth and final chapter, a phishing attack model of these groups is constructed, a theory of cybercrime operations based on this work is proposed and options capable of being deployed to disrupt the phishing attack model are identified. In particular it identifies that the money laundering aspects of the phishing are the greatest weakness in the Phishing attack model. Methods to focus on the activity of Internet money mules and wire transfer agents, such as Western Union, would be more beneficial than the current reliance on technical controls.