We are currently in the process of compiling the upcoming Symantec Internet Security Threat Report. I am putting together the phishing sections for the Asia-Pacific and Europe, Africa, and Middle East ISTRs. One of the things that we've noticed is that there are several instances of very small countries hosting high numbers of phishing Web sites. Obviously this raised the question of why this would be.
After we'd gone through related data—bot-infected computers, spam zombies, phishing hosts, etc.—we couldn't come up with any data that would explain this emerging phenomenon. We asked ourselves what in the political-economic profiles of these small nations would make them attractive for, or susceptible to, phishing Web sites, when one of our analysts pointed out that they are often used to host online gambling sites. In part, this is because gambling sites that use real money (as opposed to free poker sites, for instance) are illegal in the United States. In other countries, online gambling is legal, but can only be operated out of countries that have been approved by the government, such as Antigua, Costa Rica, and the Dutch Antilles. In Canada, the Kahnawake native reserve is hosting online gambling despite the fact that it is illegal to do so in that country.
One of the reasons that the United States government decided to ban online casinos is because they are seen as a good opportunity for organized crime (and other ne’er-do-wells) to launder ill-gotten money. Indeed, that appears to be one of the motives behind phishing online gamblers. Phishers can set up online gambling accounts sites using stolen credit card numbers and victims’ identities. They can then launder dirty money by exchanging funds through the pots of games they set up amongst themselves. (As a non-phishing aside, it appears that botnets can also be used to launder money through online gambling sites. In this scenario, bots can be pre-programmed to win or lose, thereby transferring dirty money to a chosen winner. )
Phishing can be used to steal money from online gamblers’ accounts. In this scenario, phishers could steal players' email information and then forward them spoofed emails claiming that the player has money in his or her account. The message would include a link to a spoofed Web page that requests that the user enters his or her account information. This information can then be used to steal credit card information.
In October 2006, the US Congress made it illegal for banks and credit card companies to process payments from gambling sites. As a result, online gambling sites are often hosted outside the United States. Some of the hosting countries or regions include a First Nation territory in Canada, Costa Rica, the Dutch Antilles, and Antigua. Online gambling sites maybe prone to spoofing because they are often hosted in countries with relatively lax security measures. As one related article stated, “the fact that the US authorities have driven much of the online gambling and payment processing activity underground raises serious concerns about just how secure some of these sites are.” Symantec doesn’t currently have visibility into whether phishing activity we are seeing in smaller countries is necessarily linked to online casinos, but when it comes to online gambling, it may be one of the better bets you’ll place.