Black Hat Lifts the Cover Off ID Theft Phishing Networks

WASHINGTON—A four-month investigation into the inner workings of the phishing scourge that drives identity theft attacks has uncovered an underground ecosystem of compromised Web servers, do-it-yourself phishing kits, brazen credit card thieves and lazy code copycats.

At the Black Hat DC Briefings here, security researchers Billy Rios and Nitesh Dhanjani shared the findings of their investigation into the phishing epidemic and warned that the whack-a-mole approach to disabling fake banking sites is a huge waste of time.

"I was floored by what's out there," Rios said. "They call them "fullz" on the phishing sites ... full names, credit card numbers, ATM numbers with PIN codes, social security numbers, addresses, phone numbers, all publicly available. It's staggering."

Rios, a security engineer at Microsoft (he conducted the phishing research as a private citizen), said the characteristics of many phishing schemes suggest that most of the attackers are unskilled and lazy copycats.

"Basically, they're using Google to find [vulnerable] Web servers and using do-it-yourself phishing kits to set up the attack. We're not dealing with sophisticated ninja hackers," he said, pointing to one scenario where a phisher was stealing data from another phisher.

In that case, the identity thief was using code ripped from a phishing kit and never realized that every piece of data he/she was stealing was being e-mailed to the author of the phishing kit.

"It was coded right into the kit. One was stealing from the other without much effort," Rios said.

During the course of their investigation, Rios and Dhanjani used verified phishing sites from the PhishTank project and followed a trail of clues that led to carder sites (where credit card data is traded) and phishing forums.

"We were able to find about 100 phishing kits, with the name of every bank in the world hard-coded into the kit. The extent of this is pretty staggering."

Armed with basic information from the kits, Dhanjani explained how phishers use simple Google queries to uncover significant amounts of personally identifiable information.

"If you're a business targeted by phishers, whether you're PayPal or a bank, you're playing whack-a-mole," Dhanjani said. "As an industry, we're spending all our resources of finding phishing URLs, mapping them to IP addresses and calling up ISPs to get them taken offline. It's become difficult and cumbersome."