Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database
    • Networking

    Black Hat Lifts the Cover Off ID Theft Phishing Networks

    By
    Ryan Naraine
    -
    February 20, 2008
    Share
    Facebook
    Twitter
    Linkedin

      WASHINGTON-A four-month investigation into the inner workings of the phishing scourge that drives identity theft attacks has uncovered an underground ecosystem of compromised Web servers, do-it-yourself phishing kits, brazen credit card thieves and lazy code copycats.
      At the Black Hat DC Briefings here, security researchers Billy Rios and Nitesh Dhanjani shared the findings of their investigation into the phishing epidemic and warned that the whack-a-mole approach to disabling fake banking sites is a huge waste of time.
      “I was floored by what’s out there,” Rios said. “They call them “fullz” on the phishing sites … full names, credit card numbers, ATM numbers with PIN codes, social security numbers, addresses, phone numbers, all publicly available. It’s staggering.”
      Rios, a security engineer at Microsoft (he conducted the phishing research as a private citizen), said the characteristics of many phishing schemes suggest that most of the attackers are unskilled and lazy copycats.
      “Basically, they’re using Google to find [vulnerable] Web servers and using do-it-yourself phishing kits to set up the attack. We’re not dealing with sophisticated ninja hackers,” he said, pointing to one scenario where a phisher was stealing data from another phisher.
      In that case, the identity thief was using code ripped from a phishing kit and never realized that every piece of data he/she was stealing was being e-mailed to the author of the phishing kit.
      “It was coded right into the kit. One was stealing from the other without much effort,” Rios said.
      During the course of their investigation, Rios and Dhanjani used verified phishing sites from the PhishTank project and followed a trail of clues that led to carder sites (where credit card data is traded) and phishing forums.
      “We were able to find about 100 phishing kits, with the name of every bank in the world hard-coded into the kit. The extent of this is pretty staggering.”
      Armed with basic information from the kits, Dhanjani explained how phishers use simple Google queries to uncover significant amounts of personally identifiable information.
      “If you’re a business targeted by phishers, whether you’re PayPal or a bank, you’re playing whack-a-mole,” Dhanjani said. “As an industry, we’re spending all our resources of finding phishing URLs, mapping them to IP addresses and calling up ISPs to get them taken offline. It’s become difficult and cumbersome.”

      Stop Using ATMs

      He even pointed to a weakness in the anti-phishing blacklists that maintain databases of malicious phishing URLs. In some cases, the URLs expose the administrator username and password, meaning that any attacker can use data from blacklists to pounce on compromised servers.
      “If I’m a phisher, all I have to do is go to a blacklist and help myself to compromised hosts. If they’re compromised, they already have a backdoor for all kinds of malicious activity,” Dhanjani explained.
      On one verified phishing site, Dhanjani and Rios typed in a fake username/password scheme and intercepted the POST request to see where the data was being sent.

      “It was going to a guestbook site, posting the username and password in plain text. We went to that site and found about 59,000 bank credentials,” Rios said.
      On another compromised server, the researchers found that directory indexing had been turned on, showing exactly where the phishing backdoor was set up. “Whoever set this up didn’t bother to password-protect this. We were able to get access to the backend PHP script to see what he was doing.”
      With information gleaned from the PHP script, the researchers punched a few search queries into Google and hit pay dirt.
      “Just in the Google summary, without clicking through to the [phishing] site, we were staring at people’s names, bank account numbers, PIN numbers, mother’s maiden names. Within a matter of 15 minutes, we were looking at everything they had stolen,” Dhanjani said.
      He showed screenshots of Web forums that were advertising sensitive data for sale ($15 for a complete identity or 15 cents if you’re purchasing in bulk) and other sites that contained multiple ready-to-use, easy-to-deploy phishing kits.
      Rios also found information on ATM skimmers-hardware that can be slotted onto legitimate ATM machines-that can hijack full magnetic stripe data and even store every entry made on an ATM keypad.
      “I’ve stopped using ATMs. After what I’ve seen on those sites, I’m just too paranoid,” Rios said.

      Avatar
      Ryan Naraine

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×