Going Undercover in the Slimy World of Phishing

A security analyst learns the lingo and gains cyber-crooks' trust to penetrate the phishing underworld.

Jason Harbert was a terrible spammer.

The research scientist for Cloudmark recently spent weeks monitoring the phishing communitys chat rooms and forums, learned the lingo, earned some trust, and even received kits from the fraudsters who set up scam pages that steal victims personal data. Then he went and hurt the criminals feelings after not coming through on the spam delivery.

But he did come out of the experience with extensive data and insight on every aspect of the underground marketplace, including how the attacks are orchestrated and how phishing kits work—including their structure, so-called "brain files" and even new pyramid schemes linked to the spread of the kits.

After weeks of undercover research into the phishing community, Cloudmark contends that the availability of these automated phishing kits, costing $10 or $20, has made it a breeze for novices to start up operations and has caused a sharp rise in phishing attacks.

Hacker toolkits are nothing new. Recent news reports have even pointed to certified ethical hacking toolkits for sale on eBay, such as in this expired listing, which contained similar items still for sale as of Sept. 21.

Security vendor Tier-3, headquartered in Sydney, shrugs off the proposition that these above-ground sales are above-board in their connection to ethical hacking certification, saying that they contain surreptitious Trojan loaders and Web site hacking utilities that can be used for criminal black-hat hacking.


Click here to read how a crook used the release of the latest Harry Potter book as the front for a phishing scam.

"It basically puts high-level hacking tools … into the hands of almost any Internet user—including novices—providing they have an eBay and PayPal account," said Tier-3 CTO Geoff Sweeney in a statement.


Sweeney said that where previously would-be hackers "had to score brownie points to gain access to the hacker forums and source the kits"—as did Harbert—the fact that they are now on open sale on eBay is "very worrying."

Although he hasnt looked at the eBay kits, Harbert said that if what Sweeney claims is true, the ethical kits are likely being used to commit cyber-crimes. "Most ethical hacking courses focus [on] techniques, rather than hacking kits, per se," Harbert said. "But, there may be ethical hacking kits that Im not aware of. If there are, it is almost certain that they would be leaked to the black-hat hackers and used for fraudulent activities."

The number of phishing reports hit an all-time high of 55,000 in April, according to a trend report put out at the time by the Anti-Phishing Working Group.

The rise in phishing attacks, Cloudmark says, is due both to the profits involved and the ease of carrying them out. Phishing kits—aka "scam pages" in the phishing community—are a collection of files to create a comprehensive phishing site.

The individual components work to automatically collect, store and send a victims personal information back to the phisher. Theyre widely available, the company says, and typically cost $10 to $20, often sold in a group with multiple kits targeted to specific financial institutions or organizations, such as Bank of America or eBay.

Harbert described the phishing community as being made up of specific roles and jobs. The role of a spammer, for example, is to create and send e-mail messages with a link to the phishing site. Spammers often use botnets to send messages in bulk in a short period of time. Using botnets means spammers can hit the inboxes of a large number of people before anti-spam products latch onto the message within the spam and begin to filter for it.

Another role in the community is that of the casher. These community members advertise their services in cashing out compromised bank accounts, such as Wells Fargo accounts.

Page 2: Going Undercover in the Slimy World of Phishing