Phishing in the Dark

October 16, 2009

- See all 763 of my articles

The day had finally arrived for Andrew McCormick.  Hours earlier, the sponsor of baseball’s All-Star game had officially announced what had been long rumored – they would be giving away free tickets, accommodations, and travel for ten lucky winners.

Andrew sent off an email that would reach millions of people across the country.

Dear Kosmopolitan Bank customer:

Earlier today, Kosmopolitan Bank, in partnership with Major League Baseball, announced a very exciting contest for our valued customers.  We are giving away sets of four (4) All-Star game tickets, hotel accommodations, and air travel to ten lucky winners!  The grand prize winner will throw out the first pitch at this year’s All-Star game.

To enter, simply visit the contest web site at

On behalf of all of the employees of Kosmopolitan Bank, I would like to thank you for 75 years of patronage.  I hope to see you at the game!


J. Robert Dobbs

CEO, Kosmopolitan Bank Holdings

The web site was not affiliated with the actual bank, of course.  Andrew had spent much time copying many visual elements from the bank’s actual web site.  Visitors to his site were greeted by a page that looked identical to the bank’s official site.  On the first screen, the visitors were asked for their mailing address (so that the tickets could be sent to them if they won) and their birthdate (must be 21 years old to enter).  After filling out the initial screen, they were directed to a second screen.  The second screen asked the visitors to verify that they were indeed a customer of Kosmopolitan Bank.  The screen asked for the visitor’s credit card number, but of course did not ask for the expiration date.  Asking for the expiration date raised too much of a red flag, and really, it wasn’t necessary.  It was child’s play to run the numbers against an authorization program to determine the correct expiration date.  After all, the number of dates was relatively finite.

Andrew sat down at the table and made himself a ham and swiss sandwich.  Certainly, it would only be a few minutes before the first numbers came dribble in, but he wouldn’t be able to project the extent of his harvest for at least an hour or two.  In his early days as an information broker, he would sit, transfixed, at his computer, waiting for the first couple of numbers to be sent to him.  He had gained much wisdom in his old age, however, and the twenty five year old Andrew had the patience to attend to other tasks while the process ran.

Andrew flipped on the TV.  COPS was on again.  It was one of Andrew’s favorite shows – he was amazed at how dumb some of the criminals were.  Andrew finished his sandwich and watched the law enforcement personnel put an end to the chase by surrounding the vehicle.  The guy staggered out – clearly drunk or under the influence of drugs – and suddenly found a dozen guns pointed right at him.  Andrew chuckled.  What a moron.

When the show ended, Andrew channel surfed until he found a baseball game.  He didn’t particularly care about either team, but one of the pitchers had a no hitter through five innings, so Andrew left the TV on the game.  It was bad luck to switch channels when a no-no was in progress.  The pitcher carried the no hitter into the eighth inning.  It was broken up by a clean single to center field – amazingly, the runner was then thrown out trying to stretch the hit into a double.  Andrew chuckled again.  The morons were out in large numbers tonight.

Andrew deserted the game and went back to his computer.  He already had 5,617 numbers.  This was a good yield.  Base on the trending analysis for his previous projects, he estimated that he would gather about 65,000 numbers before authorities shut the site down.

Andrew sent a coded message to his client.  They quickly negotiated a fair price for the numbers.  Andrew and the client had a great working relationship.  Andrew’s data always contained a very high percentage of valid numbers (because his sites looked very authentic), and the client accepted the fact that a certain percentage of the data would  be bogus – people who figured out the scam and entered false data.  Some guys could be a real dick about the bad data, but his client knew that it was the nature of the beast.

Exhausted from the day’s activities, Andrew crawled into bed and fell asleep – dreaming of newer and bigger adventures.

3 Comments (+add yours?)

  1. Patti
    Oct 16, 2009 @ 12:32:51

    Why was credit card info requested, there was no product being offered for purchase.

    I’d like to know if this Kosmopolitan Bank received any of the Government’s Bailout Handout.


  2. kosmo
    Oct 16, 2009 @ 12:57:02

    The credit card info was asked in order to verify that the person was a customer of the bank (issuer of the card). Only customers were eligible.

    (Couldn’t the bank have used the info from the first screen to verify this? Sure – but Andrew needed to give some sort of a reason to ask for the information).

    I bet you’d be surprised how many people would fall for this exact scam, if it was well executed. A lot of people don’t think things through as thoroughly as they should.


  3. Lazy Man and Money
    Oct 20, 2009 @ 20:02:27

    I could see how this would catch quite a high percentage of people if executed correctly as you say.
    .-= Lazy Man and Money´s last blog ..Collapsed Ceiling (and Personal Finance Links) =-.


Leave a Reply