Stop Using ATMs

By Ryan Naraine  |  Posted 2008-02-20 Print this article Print

He even pointed to a weakness in the anti-phishing blacklists that maintain databases of malicious phishing URLs. In some cases, the URLs expose the administrator username and password, meaning that any attacker can use data from blacklists to pounce on compromised servers.

"If I'm a phisher, all I have to do is go to a blacklist and help myself to compromised hosts. If they're compromised, they already have a backdoor for all kinds of malicious activity," Dhanjani explained.

On one verified phishing site, Dhanjani and Rios typed in a fake username/password scheme and intercepted the POST request to see where the data was being sent.

"It was going to a guestbook site, posting the username and password in plain text. We went to that site and found about 59,000 bank credentials," Rios said.

On another compromised server, the researchers found that directory indexing had been turned on, showing exactly where the phishing backdoor was set up. "Whoever set this up didn't bother to password-protect this. We were able to get access to the backend PHP script to see what he was doing."

With information gleaned from the PHP script, the researchers punched a few search queries into Google and hit pay dirt.

"Just in the Google summary, without clicking through to the [phishing] site, we were staring at people's names, bank account numbers, PIN numbers, mother's maiden names. Within a matter of 15 minutes, we were looking at everything they had stolen," Dhanjani said.

He showed screenshots of Web forums that were advertising sensitive data for sale ($15 for a complete identity or 15 cents if you're purchasing in bulk) and other sites that contained multiple ready-to-use, easy-to-deploy phishing kits.

Rios also found information on ATM skimmers-hardware that can be slotted onto legitimate ATM machines-that can hijack full magnetic stripe data and even store every entry made on an ATM keypad.

"I've stopped using ATMs. After what I've seen on those sites, I'm just too paranoid," Rios said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel