Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing Group Caught Stealing From Other Phishers

Posted by samzenpus on from the what's-good-for-the-goose dept.

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

21 of 129 comments (clear)

  1. How times have changed: you can't trust.....wait! by whoever57 · · Score: 3, Interesting

    But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.

    --
    The real "Libtards" are the Libertarians!
  2. Share by Anonymous Coward · · Score: 4, Funny

    Hey, it's open source. Information wants to be free. It's all about sharing. Why shouldn't the developer of the phishing kit get some reward from the organization that profits from repackaging his code?

    If they reall wanted to do it right, they could just pool all their resources and split the rewards. They could even invite others to join in, with a BotNet@Home project. Lend your computer to the BotNet, and get a prorated share of the take from stolen credit cards credited to your PayPal account.

  3. In soviet russia... by Anonymous Coward · · Score: 5, Funny

    ...phishers phish phishers... Say that five times fast.

  4. Re:How times have changed: you can't trust.....wai by cortesoft · · Score: 5, Interesting

    Except they are actually double feeding off innocent people.... some poor chap's info gets stolen by both the guy who deployed the phishing kit and the guy who wrote it.... which means its probably at least twice as likely to get used for fraud.

  5. Proverb by OldManAndTheC++ · · Score: 5, Funny

    Phish from a man and you take advantage of him for a day.

    Give a man a phishing kit and you take advantage of him for a lifetime.

    (of course by "man" we mean spotty-faced script kiddie, and by "lifetime" we mean until he wipes his harddisk, but proverbs are meant to be pithy and brief, not accurate.)

    --
    Soylent Green is peoplicious!
  6. Re:How times have changed: you can't trust.....wai by v1 · · Score: 4, Insightful

    they aren't really feeding off each other, just more off YOU. Both thieves get a crack at your cc#. Would you rather have rung up $4000 on your card, or $8000?

    --
    I work for the Department of Redundancy Department.
  7. Mr-Brain's site by aerthling · · Score: 5, Informative

    Here's his site: http://thebadboys.org/Brain/

  8. This is really sad.. by DigitAl56K · · Score: 5, Interesting

    .. you just can't trust malware anymore!

    Really though, this is nothing new. IIRC, some builds of Sub7 had a reverse backdoor (not covered in the wiki article), as well as a master password that let the Sub7 crew take over a server (covered by the wiki article), and some builds even included hard drive killer when the master password was in use.

  9. Nuke the phishers by enoz · · Score: 4, Insightful

    What is stopping a law enforcement agency from putting out a 'phishing' kit that actually phished the phishers?

    It reminds me of the ol' days on instant messaging when people would pass around a supposed 'Nuke' program that would allow them to reboot people's computers, only to discover that their own computer crashed soon after.

    1. Re:Nuke the phishers by FLEB · · Score: 4, Informative

      What is stopping a law enforcement agency from putting out a 'phishing' kit that actually phished the phishers?

      The law, mostly. It's just as illegal for someone to make "counter-malware" to break into a computer uninvited as it is for anyone else to make malicious software that breaks in.

      --
      Information wants to be free.
      Entertainment wants to be paid.
      You just want to be cheap.
  10. Re:How times have changed: you can't trust.....wai by GroeFaZ · · Score: 3, Insightful

    Problem is, they're not feeding on each other; the feeding order is not circular, but rather pyramidal. The smart and resourceful ones get even richer through the bottom-feeders' "work".

    --
    The grass is always greener on the other side of the light cone.
  11. Re:I wish it were possible to zoom in... by Anonymous Coward · · Score: 3, Funny

    I wait until I am at work to read those emails, I'm not going to risk my own computers.

  12. Re:I wish it were possible to zoom in... by Mr.+Roadkill · · Score: 5, Informative

    Naturally Netcraft won't tell you the real site name :-)
    Naturally. And who can blame them? I certainly don't - who knows what kind of nasties they might have lurking on those pages waiting for unsuspecting CEO's and CIO's and security experts who ought to know better?

    However, Google is your friend. Within 30 seconds of looking over the Netcraft article for helpfully unique strings, I found it. And went looking with lynx :-) I won't give the URL, to protect the stupid from themselves, but it's not that hard to find.

    They've got ready-rolled scams for abbey.co.uk, bankofamerica.com, cahoot.co.uk, chase.com, egold.com, ebay.com, hsbc,co.uk, lloydstsb.com, moneybookers.com, nationwide.co.uk, nbk.com.kw, paypal.com, regions.com, stgeorge.com.au, wachovia.com and westernunion.com - and in some cases, they have more than one for particular organisations.

    Cool. Now who has a spare botnet, is willing to wade through this arsehole's source, and is willing to send garbage values to al-brain@hotmail.fr and albrain08@yahoo.fr?
  13. Just what is stopping law enforcement? by swb · · Score: 3, Interesting

    Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?

    Isn't it trivial for a government agency like the FBI or Treasury to track payments charged to any kind of electronic banking back to the recipient? Wouldn't an investigation "following the money" ultimately lead you to either the thief or at least greatly disrupt his activities? At a minimum it would expose the people that made their transactions work (banks, hosting companies, other otherwise "normal" business people).

    A couple of decent RICO prosecutions and you would drive this stuff out of the United States and greatly reduce the scale of it.

    But it never happens, and I can only think that somehow the government has somehow turned these people into some espionage rabbit hole and high level prosecutions would disrupt intelligence gathering. Because there is little reason the government couldn't do something about it if they wanted to.

    1. Re:Just what is stopping law enforcement? by ShaunC · · Score: 4, Informative

      Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?
      No, not really.

      For the most part, these have been made federal crimes, even to the extent of superseding existing state laws. A few years ago, several states had passed fairly strong anti-spam laws. If someone violated the law, you could file against them in your local small claims court, and secure a guaranteed judgement (good luck collecting, but that's another story) if they didn't show. Slashdot regular Bennett Haselton made boilerplate of that process, as I recall. Then along came CAN-SPAM, which created huge loopholes and essentially declared that individual state laws about spam, if less tolerant than the federal statute, were no longer enforceable.

      So now it's up to the feds to prosecute spammers, phishers, and other ill-willed malfeasants. Most of the time, the feds have better things to worry about, and unless you personally can prove tens of thousands in damages, they're unlikely to raise an eyebrow. You do remember how the FBI's last few technology initiatives turned out, right? The penultimate example being "Virtual Case File," a/k/a "Virtual Money Sink." What amounts to a data warehouse with a client app to query it, $200 million later and it's scrapped. Two hundred MILLION dollars down the drain on a failed initiative to, in essence, secure some data feeds, create some transformations, and develop a GUI to query the whole shebang. You really expect these guys to track down John Dodrescu in Romania who's spoofing a Bank of America website on some zombie PCs in Italy, oh wait, that was 10 minutes ago before the TTL on the DNS expired, now it's some zombie PCs in France?

      Give me, a non-gov IT professional, a team of 10 people of my choosing, fund me with one single million dollars and some travel vouchers, and agree to keep the project going for one year. A lot of these assholes will be out of business inside of 6 months, with many of their contemporaries scared shitless of becoming the next statistic. No fatalities, just a lot of people behind bars. But the federal government doesn't work that way because as many of us are well aware, it isn't profitable to run an IT department. They'd rather hire 1,000 guys who may or may not be able to tell you which of (XM|XP|XTC) is a version of Windows, at $50K a year apiece, then bitch and moan that they can't stop the problem with $50mil so they can justify a bigger budget next year.

      America is spending more money per day in Iraq than it would take to adequately investigate, build cases against, and convict all of the prolific spammers in the entire world.

      No, I don't often wonder why these problems haven't been solved. The federal government has been tasked with solving them, and that's all the why I need.
      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  14. Re:How times have changed: you can't trust.....wai by bhmit1 · · Score: 4, Insightful

    But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.
    This would only be a good thing if phishers were stealing the account information of other phishers. But since they are just spreading your number to more phishers, your best hope is that competing phishers raise the fraud alert on your credit cards faster (credit card companies look for unusual purchases, and placing multiple orders in stores on opposite sides of the country at the same time is a pretty easy flag for them).

    Personally, I still want to see financial institutions implement a system where you can get trojan account numbers to give to the phishers that appear just like real numbers. If the phisher uses them, immediately the institution knows to look for fraudulent activity from that source. Then everyone receiving this spam can provide so many bad account numbers that phishing is very difficult to do without drawing attention to yourself.
  15. Phishing... by Derek+Loev · · Score: 3, Interesting

    It's amazing how many large websites are so vulnerable to even basic attacks. SQL Injection is still rampant (a simple well devised Google search can show you that) and many corporations leave credit card numbers unencrypted. Somebody with basic knowledge of SQL could attack a large amount of organizations without any trouble. I've seen this happen to too many people for me to ever trust important information on smaller sites.

  16. This isn't the same... by TheGreatHegemon · · Score: 3, Insightful

    In the old days, if thieves stole from thieves, it meant the first thief was deprived of the stolen goods. This lead to conflict. However, with information like this, all it means is that *two* thieves have the same info.

  17. Re:Script kiddies? by DigitAl56K · · Score: 3, Interesting

    This is pretty much the correct usage.

    From Wikipedia:

    In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are kids who lack the ability to write sophisticated hacking programs on their own,[1] and that their objective is to try to impress their friends or gain credit in underground cracker communities.

    And that's exactly what's happening.

  18. Re:How times have changed: you can't trust.....wai by morcego · · Score: 4, Interesting

    Personally, I still want to see financial institutions implement a system where you can get trojan account numbers to give to the phishers that appear just like real numbers. If the phisher uses them, immediately the institution knows to look for fraudulent activity from that source.


    One of my ATM cards has 2 different pin numbers. If I use the alternative one, the transaction is completed normally (so no one on the spot gets wiser), but the institution will flag it and notify the police at once, providing my identity and location. I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed.

    So yes, the banks know this kind of thing can be done. I wonder why other institutions don't do it or even why this is not mandatory for all cards.

    I really don't mind the extra US$ 3/month for this service.
    --
    morcego
  19. Re:How times have changed: you can't trust.....wai by nacturation · · Score: 3, Informative

    I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed. I have a solution as well: use your credit card so that there's no liability to you even if someone does use it fraudulently. And since 1996, you've spent about $400 on this insurance you didn't need. The only time I could see that as being useful is if someone robs you while you're in the process of making a withdrawal at an ATM.
    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.