WASHINGTON-A four-month investigation into the inner workings of the phishing scourge that drives identity theft attacks has uncovered an underground ecosystem of compromised Web servers, do-it-yourself phishing kits, brazen credit card thieves and lazy code copycats.
At the Black Hat DC Briefings here, security researchers Billy Rios and Nitesh Dhanjani shared the findings of their investigation into the phishing epidemic and warned that the whack-a-mole approach to disabling fake banking sites is a huge waste of time.
“I was floored by what’s out there,” Rios said. “They call them “fullz” on the phishing sites … full names, credit card numbers, ATM numbers with PIN codes, social security numbers, addresses, phone numbers, all publicly available. It’s staggering.”
Rios, a security engineer at Microsoft (he conducted the phishing research as a private citizen), said the characteristics of many phishing schemes suggest that most of the attackers are unskilled and lazy copycats.
“Basically, they’re using Google to find [vulnerable] Web servers and using do-it-yourself phishing kits to set up the attack. We’re not dealing with sophisticated ninja hackers,” he said, pointing to one scenario where a phisher was stealing data from another phisher.
In that case, the identity thief was using code ripped from a phishing kit and never realized that every piece of data he/she was stealing was being e-mailed to the author of the phishing kit.
“It was coded right into the kit. One was stealing from the other without much effort,” Rios said.
During the course of their investigation, Rios and Dhanjani used verified phishing sites from the PhishTank project and followed a trail of clues that led to carder sites (where credit card data is traded) and phishing forums.
“We were able to find about 100 phishing kits, with the name of every bank in the world hard-coded into the kit. The extent of this is pretty staggering.”
Armed with basic information from the kits, Dhanjani explained how phishers use simple Google queries to uncover significant amounts of personally identifiable information.
“If you’re a business targeted by phishers, whether you’re PayPal or a bank, you’re playing whack-a-mole,” Dhanjani said. “As an industry, we’re spending all our resources of finding phishing URLs, mapping them to IP addresses and calling up ISPs to get them taken offline. It’s become difficult and cumbersome.”
Stop Using ATMs
He even pointed to a weakness in the anti-phishing blacklists that maintain databases of malicious phishing URLs. In some cases, the URLs expose the administrator username and password, meaning that any attacker can use data from blacklists to pounce on compromised servers.
“If I’m a phisher, all I have to do is go to a blacklist and help myself to compromised hosts. If they’re compromised, they already have a backdoor for all kinds of malicious activity,” Dhanjani explained.
On one verified phishing site, Dhanjani and Rios typed in a fake username/password scheme and intercepted the POST request to see where the data was being sent.
“It was going to a guestbook site, posting the username and password in plain text. We went to that site and found about 59,000 bank credentials,” Rios said.
On another compromised server, the researchers found that directory indexing had been turned on, showing exactly where the phishing backdoor was set up. “Whoever set this up didn’t bother to password-protect this. We were able to get access to the backend PHP script to see what he was doing.”
With information gleaned from the PHP script, the researchers punched a few search queries into Google and hit pay dirt.
“Just in the Google summary, without clicking through to the [phishing] site, we were staring at people’s names, bank account numbers, PIN numbers, mother’s maiden names. Within a matter of 15 minutes, we were looking at everything they had stolen,” Dhanjani said.
He showed screenshots of Web forums that were advertising sensitive data for sale ($15 for a complete identity or 15 cents if you’re purchasing in bulk) and other sites that contained multiple ready-to-use, easy-to-deploy phishing kits.
Rios also found information on ATM skimmers-hardware that can be slotted onto legitimate ATM machines-that can hijack full magnetic stripe data and even store every entry made on an ATM keypad.
“I’ve stopped using ATMs. After what I’ve seen on those sites, I’m just too paranoid,” Rios said.