Spies In the Phishing Underground

An anonymous reader sends us to Net-Security.org for an interview with security researchers Nitesh Dhanjani and Billy Rios, who recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites turned into an extraordinary tour through the ecosystem that supports the business of phishing. In the interview they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, and discuss how phishers communicate and how they phish each other.

Dateline:To catch a pirate.

And here's a look at the piracy underground.

Re:Dateline:To catch a pirate.

[Thyrteen]

Hey, wait, I think I know you! Was your name Paul? or was it Mark? I forget, I'm bad with names...

Duh

[Alexx+K]

Rios: This is one of the more surprising aspects of the research we (Nitesh and I) conducted. I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again.

The situation's the same with botnets, spamming, and malware. Why should things be different? Taking a peak at some phishing sites, there are obviously a great deal of similarities between them. I don't know why this is a revolution to these guys.

P.s.: Damn, there's a lot of advertising on that site.

Re:Duh

[Tablizer]

I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, ... merely downloaded kits and tools from some place and reused over and over and over again. [re-quote]

Business software engineers have been having a hard time to get reuse to work decently, but ironically maybe these underground script kiddies figured out the secret :-)

Re:Duh

[russ1337]

P.s.: Damn, there's a lot of advertising on that site.

Yeah, not only that but I thought it was kinda strange that i had to enter my credit card details just to read the article.

Re:Duh

[Kristoph]

It is in the best interest of skilled hackers to make these things available to, essentially, anyone.

In a sea of phishers law enforcement is likely to catch those who have the least amount of skill simply because its easier for them. The time they spend on those cases is less time they have for people who really know what's going on.

Re:Duh

[JohnVanVliet]

the only add i see is the one to get the weekly news letter oh!! the joys of addblock plus , no-script and a host file with 16,875 add servers pointed to 127.0.0.1

Re:Duh

[ecavalli]

Isn't that generally the way it is on the 'net though?

The underground (and often illegal) enterprises push the envelope of what the technology is capable of (both technically and in terms of what it can do for people), and then the legitimate enterprises follow suit 5 years down the line.

For example: music distribution, film distribution, game downloads, VoIP, online porn; the list goes on and on...

Re:Duh

[argStyopa]

"addblock plus , no-script and a host file with 16,875 add servers pointed to 127.0.0.1"
Any chance you'd post that hosts file? I could use it too.

Re:Duh

[Brad+Eleven]

Excellent point.

Too bad it's not that way in government agencies. My impression is that their dominant mindsets are:

• No use of "not invented here" techniques or technology
  
• We'll never win this "war", the best we can do is to get ourselves promoted
  
• Open software and other new technologies are tools of the enemy
  
• Let's use my cousin Bob's company to get this done
  

I would be surprised and delighted to learn that things are any different at all. Having served in the military, I retain a smug sense of superiority, even though I know that there must be intelligent life in government. It's frustrating to keep finding that we're being taxed and led by selfish, incompetent people.

It's like growing up in a home infested with vermin, where the parents just shrug and say that they can't do anything about it, when it's obvious that they're just spending their money and attention on something else. Their willful ignorance might allow me to get away with whatever I want. The trade-off is finding that my possessions have been gnawed by mice or encountering cockroaches that look at me defiantly when I turn on the light.

As long as they let me alone, I'm OK with it. When they step in and try to suddenly impose discipline, I want to say, "Where were you when I needed you?"

No, the government isn't my parents, but it's been getting closer to the asymptote. Public school has been mandatory since before I was born. Income tax is beyond mandatory. Laws have become more and more restrictive, and we are now being monitored without warrants. That's pretty close to what I remember of my own parents, except that in this case, I own all of the responsibility.

On a national level, it's not as simple as moving out. The analog to running away from home is participation in some underground economy.

Re:Duh

On a national level, it's not as simple as moving out. The analog to running away from home is participation in some underground economy. erm...
IMHO, the analog of running away from home would rather be... move out of the country... (emigrate).
There are still some countries out there where taxes are (mostly) used for important things like school and the well of the people.
OTOH, governments being what they are, you won't find a perfect (working) system.

Re:Duh

[billcopc]

It's a "revelation" to these guys because they're selling it to mass media. Joe Smith, who falls for phishing sites, doesn't understand what's really going on under the hood. He can barely spell his own friggin' name on a form. Joe Smith watches TV and reads the daily paper, along with a handful of "topical magazines" that are all-too happy to publish this sort of tripe.

It's the journalistic equivalent of "Lost", a whole pile of bullshit spread out so very thinly even the retards can enjoy it.

Weak article

[plover]

Not a lot of new information there.

To summarize:

• Phishers have forums where they trade with other phishers.
• Most phishers are script kiddies. Phishing is usually done with pre-made phishing kits. The phisher plugs in their email address and uploads it to a compromised server.
• The phishing kits are riddled with backdoors, where the original kit author does stuff like send copies of the victims data to their own email address.
• Anti-phishing browser plugins lead to a ready-made list of compromised servers. Hackers know that any server on the list is hackable.

Six pages? I was hoping for at least the transcript of a chat with a phisher.

Re:Weak article

[Frosty+Piss]

Anti-phishing browser plugins lead to a ready-made list of compromised servers. Hackers know that any server on the list is hackable.

Put presumably since these servers find themselves on a well circulated "blacklist", they get closed pretty soon? No?

Re:Weak article

[Idiot+with+a+gun]

I doubt a chat with a phisher would be helpful. It'd probably incredibly dull, and filled with brackets due to typos on their part. Besides, as in most shadow communities, phishers tend to assume you either know everything, or you're a complete idiot to be ignored. I'm willing to bet that you couldn't get a (current) phisher to tell all.

Re:Weak article

[Windcatcher]

I doubt a chat with a phisher would be helpful. It'd probably incredibly dull, and filled with brackets due to typos on their part. Besides, as in most shadow communities, phishers tend to assume you either know everything, or you're a complete idiot to be ignored. I'm willing to bet that you couldn't get a (current) phisher to tell all."

It begs the question, in dealing with the phishing community, who are we dealing with -- the uneducated, the merely poor, the greedy, the antisocial, or worse? Is the phishing community an outlet for the antisocial/maladjusted/borderline mentally ill? I'd like to pose the following question: assuming that such people always have and always will exist in the world, is the tech community remiss in taking this into account? When we create a piece of hardware or software, do we need to ask the question, "what if someone with an 'LSD in the reservoir' mentality gets his hands on this?" In connecting the world via the Internet, we've also connected ourselves to every flavor of person we would rather avoid in real life. Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

Re:Weak article

[plover]

Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

This is very much like the "security through obscurity" argument. In security it's always assumed that the bad guys know or can learn the algorithms, weaknesses, etc., everything but the key. In the case of technology such as phishing kits, there may be no reason for a legitimate developer to write such a thing, but there's nothing stopping an unethical person from writing one.

Don't get me wrong: training software engineers in ethics is a good thing. Professionals need to understand their responsibilities. But bad people can't be stopped from writing malicious software. The bar for writing software is already too low, and is getting lower by the day.

Re:Weak article

[Opportunist]

Who you're dealing with is quite simple. A mix of people, as usual. You have the crowd that knows nothing, but wants a piece of the cake. They're mostly harmless. They buy some phishing kit and try to get a few bucks. Usually they're caught. They're much like the average bank robber that goes into a bank with a gun but without a plan.

Then you have the ones that want to try it just to see if they can. They're just as harmless. They just get your ID and then don't do anything about it. Except maybe bragging to their friends, which usually turns into them getting caught when one of their friends decides they don't want to be friends anymore.

And finally you have some well organized groups that actually cause the problem. And there you usually get to see the type of people that you expect from such groups. You have the ones that write the code, usually quite smart people who know their shit and who also get quite a bit of money for their work (I was honestly tempted to switch sides...). Imagine an unemployed top notch programmer in an east europe country and the chance to see 4-5 digits per month, and you know what I mean. Then you have the people who can provide the necessary "hardware", i.e. acquire servers and the necessary connections to keep them running for a few weeks. In smaller groups, this is often the same person who does the coding, but even in this shadow business you notice tendencies to 'outsource' work, i.e. buy kits or hire people to do the server shifting. These are usually not the people you will talk to, unless they have reason to contact you (i.e. when they consider you someone who can get them servers or provide code).

Then you have the people who hire the goons to grab the money and run, and fools with bank accounts. These are usually the ones you will talk to when they try to find someone gullible enough to provide their bank account for transfers. And finally you have the goons that go to Western Union to collect the loot. These are the ones you usually catch when you do a sting. They're much like the average street drug dealer, the lowest on the chain and the ones that are easy to replace. Usually some poor guy, homeless or asylum seeker, is hired for a few pennies to risk it.

So, in general, unless they have good reason to talk to you, you won't get to hear from anyone who is up far enough on the ladder to be interesting.

Re:Weak article

[mrterrysilver]

you missed what i thought was the most interesting point... phishers exploit blacklisted phishing lists because usually all the servers listed are unpatched and still vulnerable. sometimes there's multiple phishers using a box at once.

Re:Weak article

[BosstonesOwn]

Ever work in a fortune 500 ? It takes an act of congress to be able bring a server down and reimage it to a known good state if it's been compromised. And they are usually the places with enough bandwidth that they may never find the compromised boxen , until some one important's kid installs the plugin and he can't view his web mail.

Besides I don't know any security or even system admins here at a fortune 100 that even bother looking at blacklists. Well maybe the email guys do , but no one else I talked with yet.

Re:Weak article

[Antique+Geekmeister]

I'd like to disagree with you on this. There is a threshold involved, that of actually getting someone's fiscal data rather than their home address or telephone number or computer password, that automatically means they are beyond the normal "hacker" exploits. If all you want to do is look around, you can do it with a sense of self restraint that gets you people's personal email or passwords, not their money information.

I'm also afraid that bragging to their friends does not, in fact, usually get them caught. The number of hackers, crackers, phishers, and other people who poke around other's computers seems to consistently be much larger than the number arrested or even caught. Most companies don't bother to pursue such frauds: they just say "is it worth our time and money to track them down? will we get our money back, or will it stop the next round from trying the same stunt", decide it won't, and ignore it as a part of doing business.

Even getting the police involved against the worst crackers and phishers is difficult. Getting police to act across state lines, or worse international borders, is a nightmare of arcane turf wars among governmental security groups who frankly will not bother with small thefts. They can only be convinced to pursue it when the amount exceeds some threshold, which varies from agency to agency and from month to month, but a few thousand stolen from any individual is like losing your wallet on a bus. They just won't bother doing anything about it besides sending you a form letter to fill out, which is promptly ignored.

Re:Weak article

[v1]

six pages has become the norm for a "spam the crap out of a popularinteview" hasn't it? Even if the interview is only 20 sentences, we can squeeze at least six sets of banner hits out of it cant we?

This one did better than most, I think we got at least ten sentences per page. The entire interview would probably have fit on one printable page. They make the column width for the actual text take up not even 1/2 the width of the page and start you out with a 1/2 page of banner to make you have to scroll by sentence 6, to try to detract your attention from the silliness.

Idiots. And then they whine when we start blocking the crap.

Re:Weak article

[easyTree]

In connecting the world via the Internet, we've also connected ourselves to every flavor of person we would rather avoid in real life.

In a sense though, this is a good thing. I'm arguing that complete worldwide social cohesion is required before the world's problems may be solved. If we have isolated (economically, socially) pockets of people who live outside the main body of society (whose members enjoy all the luxuries that the modern world has to offer), they are always going to send raiding parties of one form or another.

Note that in today's world 'exclusive' is seen to be synonymous with 'desireable'. Until the mindset of those in power changes from exclusion-based to inclusion-based, this is going to keep happening. Stop stealing from the poor and forcing them to live in first-world shanty-towns and they will stop stealing your credit card details on the internet, handbags, phones and cars in the street.

Re:Weak article

[JCSoRocks]

Dude, security through obscurity totally works. Have you ever talked to a woman? Best security EVER. No man has ANY idea what they're thinking. *amazing*.

Re:Weak article

[jollyreaper]

It begs the question, in dealing with the phishing community, who are we dealing with -- the uneducated, the merely poor, the greedy, the antisocial, or worse? Is the phishing community an outlet for the antisocial/maladjusted/borderline mentally ill? Wow, doesn't sound that much different from the fishing community!

Back when Jeff Foxworthy came out, my cousins were listening to one of his routines. One of them goes "Holy shit, I have been too drunk to fish!"

To my cousins' credit, none of their cars are on blocks in the front yard, they have them in sheds in the back of the property and they did a really good job of kitting them out, late 70's muscle cars.

Re:Weak article

[The+One+and+Only]

You just have to find her private key...

Re:Weak article

[umghhh]

I disagree with the low bar (to enter software developer heaven/hell). It is like with anything else: some can do it, some dare do it, some dare not do it and there are some that actually can do it well. ALl these groups may overlap somewhat in different areas of expertise. One can argue that to do pishing etc the bar is low - I can agree with that. Low standards, lack of understanding of basic principles by users and organisations one trusts or has to trust(banks or gov. agencies come to mind) and availability of tools that do the job maybe not well but well enuff makes it all possible to enter the 'hacker' arena for anybody. This has nothing to do with actual engineering. One still can do things well if one wants and finds interested organisations. Of course it is not easy in times in which basic understanding of economy is: difficult and expensive then outsource it to hell and hope for the best. Still the fact that producing software is somehow exempt from any sort of responsibility for the results is a bit awkward and I think may add to lowering barriers to entry.
Methinks.

Re:Weak article

[bughunter]

While the signal-to-noise ratio may not be as useful, I find that a man-in-the-middle approach has the potential to be far more rewarding.

Re:Weak article

[Opportunist]

The people that get caught are usually "dumb" enough to do it in their own country, and transfer the money directly to their own account. They are basically your average scriptkid with not enough brains to think past the tip of their nose, and those are also the cases you get to hear about as the "big breakthrough" in the fight against this kind of crime.

For the better organized people, you're right. A server in Manila, phishing for banks in Denmark, with money withdrawn in London, all organized by some group in Uzbekistan. No chance in hell to catch any of those guys except the hired bum used to get the money out.

Re:Weak article

[Antique+Geekmeister]

Oh, even for the worst offenders and most idiotic script kiddies, the conviction rate and discovery rate is pitiful. How many of us actually pursue all the IP addresses of script kiddies trying to log in as root remotely to our servers? How many of us succeed in actually prosecuting such an abuse, especially when the law enforcement agencies kick it to the FBI and the FBI can't be bothered?

Re:Weak article

[Opportunist]

That's because sending a sync to every port available is not a crime per se in most countries. Even a login as root isn't a criminal action by default (because, well, you could still claim you just mistyped the IP address, or there was a DNS problem and so on, most legal agencies know that defense well, and that due to in dubio pro reo, there's little chance to get it past any judge).

So, what it comes down to, unless you can claim without a shade of doubt that someone was doing something illegal, no agency is going to invest a minute of manpower into the case. It simply isn't worth the hassle. The chance to ever see a conviction is near zero.

Then again, I don't know if I'd want it any other way. Imagine mistyping the IP address of your server actually resulting in a trial and a conviction for "illegal virtual trespassing" (or whatever it should be called). Can you see some sue-happy lawyers and companies popping the champagne bottles should this become reality?

You know what's next, don't you?

[AltGrendel]

Nitesh Dhanjani and Billy Rios can expect any site they are associated with to be DDOSed in....

3..

2..

1.

Re:You know what's next, don't you?

[somersault]

Profit!!??!

And the news is...?

[Opportunist]

So they skimmed botnet servers, scammed scammers, talked with phishers and "infiltrated" their network and got a hand onto phishing kits. Ok. Various AV researchers have done so for at the very least a year now, many for over two years, full time, with a hand deeply in the whole process.

Should I write a book now or something?

Gaining such information is actually not that hard. Many have done that, but the majority so far had the brains to keep their mouth shut about it. First of all, nobody in that scene likes a loudmouth, it makes your work incredibly hard if you talk too much. And second, the last thing we need is more people trying to get into the "market".

But then, as we've read last week, you probably get a trojaned kit anyway. :)

Re:And the news is...?

[Aardpig]

So who shat on your cornflakes this morning, sunshine?

Re:And the news is...?

[Opportunist]

Self proclaimed experts in general.

Maybe I should just shut my mouth and even increase the mystique and magic that surrounds the "hackers", flash around my "security expert" tag and walk around like my farts don't stink, but bluntly, I get fed up by people who broadcast news that are none.

You know what would be news? When someone managed to hack into the P2P botnets. That would be stunning, that would be something the whole AV research community would nod their collective head and bow to. This is just a "been there, done that, got the T-Shirt" thing.

Re:And the news is...?

[ecavalli]

No, you should write a book.

Obviously there's an audience for this kind of information, and your mom would be so proud to see your name at the top of a Slashdot article.

Re:And the news is...?

[Demerara]

But then, as we've read last week, you probably get a trojaned kit anyway. :)

What - Sony are selling Phishing Kits now?

PhS3 anyone?

Re:And the news is...?

[hesaigo999ca]

Slightly unfortunate you feel this way. The big wheel spinning is based on the sole fact that the more you perpetuate and stimulate, the more you get challenged. If we all stopped wanting to get involved and being fewer people as you say, then less and less chances for advances would be made.

I think of Bj Franklin and Tesla, without one you wouldn't have gotten the other. Yet had Bj been the same as you, Tesla would never have had the possibility to review his work, and grow from there.

The only thing I think you do raise a point about, is that by bringing ALOT of attention to your work, you bring ALOT of scrutiny. As with M$ vs. Linux, the only reason Linux isn't as vulnerable, is that it isn't as popular. Give it a few more commercial years in the limelight, then we would see alot more *nix viruses.

In ANY COUNTRY, the government controls the commerce.

Re:And the news is...?

[Gorshkov]

As with M$ vs. Linux, the only reason Linux isn't as vulnerable, is that it isn't as popular.

Hmmmm ..... and all this time, I thought that little, insignificant things like architecture & design might have at least *something* to do with it. Didn't realize it was nothing more complex than a popularity contest.

Re:And the news is...?

[Opportunist]

It basically is one.

The core problem of today's malware is that it does rarely rely on system shortcomings. Most malware today uses user "stupidity" as the entry point, tricking the user into executing some sort of program which contains the trojan. It's rarely anymore some sort of exploit, first of all because they require more work but also because even Windows slowly closes all those insane security holes.

And when it's down to the personal security consciousness and knowledge of the user, even the best system can't keep you from being infected.

Re:And the news is...?

[Gorshkov]

All I can say is .... *wow*

The core problem of today's malware is that it does rarely rely on system shortcomings.

You mean I've been wasting all my time patching up buffer overflows, polishing up my input parsing routines, and all this other stuff for NOTHING?. If there are no system shortcomings, there's nothing to exploit.

Most malware today uses user "stupidity" as the entry point, tricking the user into executing some sort of program which contains the trojan.

Yes, it does ...... but if there are no (or few, or hard to exploit) system shortcomings, it really doesn't matter HOW stupid the user is, does it?

And when it's down to the personal security consciousness and knowledge of the user, even the best system can't keep you from being infected.

You're right, it can't. But that's no justification for making it EASY to get infected - and it sure as hell isn't justification for delivering crappy software infested with security holes, either by design OR implementation.

Nothing new

[allthefish]

So, what TFA is saying is that the phishing community is just another community of skiddies, just like the rest of the modern "hacker underground" or whatever you want to call it. This is news how?

Besides the obvious hacker/cracker naming issue, the fact is that today's "hacking" community bears little resemblance to the real hacker heroes of the past. The hacking/cracking issue has been hashed out enough around here, so i'll leave that issue alone.

Of the people that call themselves hackers in the modern, media-approved sense, there are only a few out there with the intelligence to write their own stuff. The rest are script kiddies, and just mooch off of the work that has already been done.

So now someone spends months wandering around the phishing scene, and is surprised to discover that its not any different then the rest of the hackers of today's world. I fail to see how this is newsworthy.

Re:Nothing new

[Opportunist]

Oh, I'm fairly sure every 15 year old wants to be a "hacker". Hey, hackers are cool. Cooler than robots, zombies, pirates and ninjas combined. And even if not, tech ain't here yet to become a robot, it's not really fancy to be a zombie, pirates are outdated 'til we finally all believe in the Spaghetti Monster and, let's face it, few if any computer nerds have the fitness to become ninjas.

So hackers is it. Hey, sure I wanted to be one when I was 15. I just had no internet and thus no way to download some sort of tools to become so terribly cool and "hack" my friends. Mostly also because they didn't access the internet (lacking its existance for the wide population) and networking simply wasn't the big issue with C64s.

The only difference today is that those tools are accessable, and the kids today can download them. Yes, they're scriptkiddies in the truest sense. And as usual, only a handful of them will grow out of it. It's always been that way. The difference is that in the old days of the great hackers, you only got to hear from the true hackers who took the steep road to hackerdom because there simply was no easy way for those that could not. No tools for scriptkids to download, no easy networking, no internet, you needed to know your TCP/IP and not think it's the abbreviation for the Chinese secret service to actually access anything but your own machine.

That's the difference today. Not that there are more scriptkids. Just that they didn't get out of their own basement in the old days.

The text (site has it spread of six damn pages)

"Both Nitesh and Billy are well-known security researchers that have recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers.

They saw an extraordinary amount of sensitive customer account information, obtained the latest phishing kits, located and examined the tools used by phishers, trolled sites buying and selling identities, and even social engineered a few scammers.

In this interview, they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, discuss how phishers communicate and even how they phish each other.


What are phishing kits and how are they distributed?

Dhanjani: A phishing kit is the most important tool in a phisher's arsenal. Think of a popular company that executes financial transactions on the web. All the source code and static content such as images and logos needed to setup a phishing site for the company you just thought of is most likely to be present in a phishing kit. Let us suppose you get hold of such a kit and you want to deploy a phishing site. All you would have to do is the following: 1) Unzip the kit 2) Pick the directory corresponding the company you want to target 3) Edit a single file in the directory to input the email address you want the results emailed to 4) Deploy the directory onto a compromised host on the internet, and voila! - you have yourself a phishing site. If you take a look at the client side code (HTML and JavaScript) presented to your browser on a phishing site that targets a particular company, you will notice that other phishing sites that target the same company have similar characteristics. This is because, more often than not, the sites are deployed using popular phishing kits. The code within the kits is quite simple, mostly consisting of a web form that does the dirty work, along with image files and static content. The kits are often distributed amongst the phisher communities on message boards, and at times sold or traded for money or identities.

Rios: Phishing kits are the tip of the iceberg, they are the piece of the phishing eco system that everyone sees and knows about. The typical phishing kit consists of the HTML that makes up the forged site that the user sees and the backend logic that used to steal the victims information. Most phishing kits are probably created by a small number of individuals and typically sold on phishing forums. Although the various kits have different front ends and HTML content, the back end logic is surprisingly similar for most of the kits we've seen. These kits are used over and over again and most of the phishing sites you've seen are probably a variant of small set of phishing kits. Many think that phishing sites are all custom jobs that a particular phisher has developed and deployed. The reality is pre-made, ready-to-deploy, turnkey sites are already created for practically every major organization that you can think of. All a phisher has to do is purchase the latest kit and deploy, no technical expertise or coding skills are really required. All the phisher typically has to do is place their email address into one line of code and they have a ready to deploy phishing site.


Many have become victims of phishing and we see the attackers using new methods all the time. In your opinion, what is their skill level? Who are we dealing with?

Dhanjani: This is an important question, and I'm glad you asked it. When we think of phishers, we often guess that they are a group of highly skilled ninja hackers. They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused. These people have got to be pretty smart, right? Wrong. Just think about what a typical phisher is really doing: installing

Not Underground

[mandelbr0t]

The implication in the title is that these "security experts" actually got in with one of the rings. As a matter of fact, they simply downloaded a phishing kit and signed up for a forum. They didn't talk to anyone who wrote one (not that much skill is required in that). They didn't gain access to any dark-nets. They didn't gain access to secure IRC channels. In short, they're just a couple of guys. Their agenda seems clear to me: push the IE anti-phishing UI. They make reference to it (though not by name) twice in TFA:

...the(sic) are abusing a few fundamental flaws such as lack of awareness, lack of standards around browser UI that clearly highlights high assurance websites...

Instead we need to come up with browser UI standards that allow the users to clearly and easily distinguish high assurance domains and websites.

They also talk about the need for a system that works without static identifiers like credit card and social security numbers, though they don't postulate any such system. They claim that writing secure code is secondary to this as-yet unknown system that doesn't use personally identifiable information to identify you. My thoughts: until we figure out how to identify you without using identifiers, maybe we should concentrate on the secure code angle for a while.

Re:Not Underground

[tdwebste]

Static security. Your pin number, id, password, bank bar code, address, birthday, employer, maiden name, SSN, drivers license number. Anything static does not get changed often enough, and people "courts" stupidly trust them as unique ID's. Which is why it is so hard for individuals to clean up after id theft.

Non static,
- key sequence generators which use your initial pin to generate a new pin every few hours/mins/seconds
- challenge protocols, which ask an question and require an appropriate answer
- broadcast / multi-path counter measure against man in the middle

The problem is people are really horrible at both doing manual key sequence generation or challenge protocols. As a result the non static id is generate via some physical thing you hold, which of course can be stolen. But it does make remote theft much harder, and people are much better at handling theft of something physical. High security requires the user must authenticate themselves to the non static id device.

There are many variations on the theme.

Re:Not Underground

They also talk about the need for a system that works without static identifiers like credit card and social security numbers, though they don't postulate any such system

I personally think that we need to go from having static credit-card numbers, to a smart-card system, where the credit-card would talk directly to the server of the credit-card company, whenever payments needed to be authorized. The smart-card would contain a CPU, which would encrypt such authorizations, using an embedded key that not even the owner would know, and only the server would know how to decrypt them. At the store, you would slide such a smart credit-card into a slot, from where it would establish a secure connection to the server of the credit-card company, and authorize payment. For payment on-line, we would all need a similar card slot for our PCs, via which the card would communicate with the server, via the internet. If your credit-card got stolen, the credit-card company would simply cancel it and send you a knew one, containing new encryption keys.

Re:Not Underground

[ultranova]

key sequence generators which use your initial pin to generate a new pin every few hours/mins/seconds

So if you learn the original PIN, you can calculate the current PIN at any later point in time. Besides, how do you actually use this to identify anyone, short of telling the other party your original PIN ?

challenge protocols, which ask an question and require an appropriate answer

How does the other party know that the answer is correct ? Or are you talking about public-key cryptographic authentication ?

broadcast / multi-path counter measure against man in the middle

In the Internet there's no way to do this, since there's no way to enforce a given route for a packet; besides, it doesn't help any if the server or your machine is compromised.

Re:Not Underground

You wrote: "They also talk about the need for a system that works without static identifiers like credit card and social security numbers, though they don't postulate any such system."

I don't think a system like this is possible. Even if you use public key encryption systems you still need to keep your private key private.

How they communicate?

[TheSpengo]

Not that hard to infiltrate... ever been to 711chan.org? xD Also, just a pet peeve, why do they break up the article into 6 pages instead of just putting it all on one? >:P

All it took

[esocid]

Of course they infiltrated their underground. All it took was their credit card number and SS#.

Idea

[Idiot+with+a+gun]

Just to make it interesting. Go to a known phishing site, enter in a fake ID and SSN, and follow it down the pipes.

Re:Idea

[Technician]

Some fake sites are smart enough to do a man in the middle attack. If your login to the real site fails, the error is bounced. I have seen this on several sites I have tried to poison.

I haven't tried entering real info, so I don't know if the site simply bounces everything, or if it really logs into the real site to verify username/password.

This is asinine

[JRHelgeson]

These idiots just set up a site and wrote a story about it. I've done more than this on a single weekend collecting data for LE Agencies or trainings I provide to Judges/Lawyers and Gov't IT Workers. Hell, I've set up a Linux VMware server that hosts all the current phishing sites on a single instance.

The genius here, going by the name "Brain", provides first class phishing sites with a catch - he has encrypted his email address and integrated it into the pages he's written. When Script Kiddies like the ones in this article set up the "Brain" sites, a copy of the stolen credentials gets secretly sent to Brain as well as the Phisherman... making Brain the first Commercial Phisherman I have encountered.

Give a man fire, you keep him warm for a day. Set a man on fire and you'll keep him warm for the rest of his life.

Joel Helgeson

Re:This is asinine

[JRHelgeson]

And then the use of the phrase "the Underground" is itself a joke. This implies that they try to hide their activities. What a joke! They operate out in the open, swapping and sharing information, harvesting data. The use of that term "The Underground" is like calling the Open Source Software movement a "covert operation". This is the open source software of the criminal underworld - with a twist... everyone steals the other guys code and takes full credit for writing all of it. Incremental improvements.

YOu wanna bitch and whine about me sharing the information? Hell, the site is going to be gone in a few days, only to resurface somewhere else. Google the name, you'll find it again. Hell, you can subscribe to his RSS feed to keep you updated on the latest phishing techniques.

You see, trying to hunt down one of these criminals is like trying to find a needle in a stack of needles, combined with international borders and different jurisdictions, etc. etc. These people have nothing to fear, nothing to lose, and everything to gain...

--Joel Helgeson

Real Security Threat: You

[webword]

I was just reading an interview in either Inc. or Fast Company with the head of the research division inside one of the big anti-virus vendors. He said that most encryption and security issues have been solved. The real threat now is humans, meaning weaknesses in how we interact with others, i.e., trust, building a rapport, lies, etc. Humans are the weakest link and no amount of technology will help. It'll always be possible to hack a system if you think your little old Grandma is on the other end is asking for your help.

Re:Real Security Threat: You

[Opportunist]

Yup. The weakest link in computer security is the user. Now, while in companies you might have some administrator who might or might not be actually security conscious and lock down user PCs (as far as he can, due to company policy and program requirements), the average machine in a user's home is horribly insecure. Not because of remote exploits or inherently bad security, but because users are gullible and can easily be tricked into clicking pretty much everything.

Now, I know a lot of people will claim that you can lock down a system sensibly. No, you cannot. Unless you forbid the user to run whatever code he wants (i.e. let him only run 'signed' code that some signing authority deemed ok), you cannot. The key problem is that you, the maker of the system, cannot decide whether the actions caused by the program are wanted by the user or not. Yes, you can ask the user about every even so trivial thing, but then you're where Vista is: You ask him questions he cannot answer, failing to understand just what you are asking there. Access the registry? Access the internet? I ... dunno?

Locking away the system and allowing only "user space" programs to run doesn't cut it either. Because most home computers are only used by one person, it does not matter whether you run only for this one person or for the whole system, they're the same.

So, basically, what security comes down to is user knowledge. Most trojans today use social engineering to get onto a user's PC. They don't use backdoors or exploits, they simply use tricks to have the user open and run them.

Re:Real Security Threat: You

This is the problem that smart cards were suppose to solve. All the encryption would be end-to-end to a device which can't run other software.

Where's the FBI?

[Doc+Ruby]

We pay the FBI a lot of money to infiltrate and bring to justice these organized criminal networks. But the FBI isn't bothering.

Of course, the banks are supposed to defend their trademarks from anyone, including phishers, who uses them to pretend to be the bank. But they're not bothering.

Re:Where's the FBI?

[berzerke]

The FBI is more interested in tracking down terrorists nowadays. Running down all those false leads from the illegal wiretaps really eats up man power. Aside from that, phishing often crosses national boundaries. Now you have to get cooperation from other governments. Then you have to find, arrest, most likely extradite, then convict them. Not an easy task. The FBI's resources, though vast, are still finite. Phishing doesn't rank very high.

As for banks, they are interested in money only. If it costs more to fight the phishers than to just let them go, the banks will let them go. This, of course, neglects the long term cost of encouraging this behavior. Besides that, the phishers who misuse trademarks aren't the easiest to find and sue. Here for a few days (at most) then gone. It's not like they post addresses for the bank's lawyers to send nasty letters to.

What?

[NeoHunyadi]

So the phishers are trying to phish the phishers who are phishing for... what? (That's some quality writing, right there.)

Seriously, the article seems like something you'd see featured on the evening news as a scare tactic.

Reporter: Is your identity safe? It could be at risk and you don't even know it. Top researchers say there are hacker communities out there that will likely only continue to grow! Are you stupid enough to stay tuned until the end of our worthless program and find out?

Wait... Is this really even Slashdot? Why does my browser say http://it.slashd0t.org/? Son of a...

Simple partial solution:

[bbyakk]

Make the browser highlight the domain part of the url in bold. Even if this helps just a few users recognize the scam easier it's worth it. Besides, it will somewhat improve usability for regular use as well. I often scan the URL line for to get an idea of what a tab displays, and this will save a few milliseconds of my brain time each time I do it.

Re:Simple partial solution:

[rs232]

"Make the browser highlight the domain part of the url in bold"

Anything that relies on the end user doing or not doing something is bound to fail. You're dealing with idiots that can't prevent themselves in clicking on anything. For instance click here to see Britney Spears nude.

As a test send an email with the subject: clicking on this attachment will steal your bank details and render your computer unusable :- guess how many of the idiots will still open it.

Re:Simple partial solution:

For instance click here to see Britney Spears nude.

Can you repost that? Your link didn't work.

Re:Simple partial solution:

[dotancohen]

Make the browser highlight the domain part of the url in bold. That's what LocationBar2 does. For Firefox.

Re:Simple partial solution:

[bbyakk]

This kind of arrogant attitude is not a solution. It's the easiest thing in the world to blame everything on stupid users who just won't learn. My experience tells me that when you really make an effort to explain something to people, they do listen and do understand. You just need to think out of your box. The URL line is a perfect example. We techies have many years of parsing URLs and take it for granted that it should be obvious to everyone where the domain name is. But it is not. We have to realize that it's not because of laziness or stupidity - people see a long string of meaningless characters and assume it's just NOT WORTH making any sense of. "Something technical, not for me." If we make one little step and add the bold domain, we will signal them that it's actually not entirely meaningless, that some part of it is important even for them. I'm sure this will prompt many non-technical users to pay more attention to the URL line and understand URLs better.

I have the solution to phishing

[timmarhy]

One time credit card numbers.

net banking that requires sms verification of transfers.

public, televised floggings for anyone convicted of fraud or petty theft.

only the banks can make these happen (including option 3 as well i might add, polical lobbying ftw). hell i know i'd tune into watch some scammers take a beating.

Re:I have the solution to phishing

[Yetihehe]

My bank already does this. Except instead of one time numbers I have credit card number which I can load with enough money to just buy something and then unload it so no one can take money from it without my consent. Sms verification is very convenient, it's like tokens, but you don't have to remember where you have put your token keyring last time.

Re:I have the solution to phishing

[apathy+maybe]

"public, televised floggings for anyone convicted of fraud or petty theft."

Sure, allow the rich fuckers to get away with it, white collar criminals, corporate executives etc.

But as soon as a poor kid steals a chocolate bar, public floggings!

Because, remember, we live in a society where there is only one law, but it is written to punish, not the rich, but only the poor. Any law isn't going to punish anyone who steals millions of dollars, only those who steal hundreds or less.

Re:I have the solution to phishing

[Obsi]

Problem with SMS verification:
Not everyone has cellphones.

Re:I have the solution to phishing

Sms verification is very convenient, it's like tokens, but you don't have to remember where you have put your token keyring last time. Actually, SMS verification is much better than the common tokens, because you will see exactly what transaction you permit. With the token, a Man-in-the-middle attack (like some of the more advanced phishing sites) could just turn your transfer of US$23 to pay for your electricity into a transfer of $2000 to nigeria, without you having even a chance to notice the difference (except probably the site's URL).

Phishers infiltrated?

[eternalDRIVEL]

Spies sappin' mah underground!

Re:Phishers infiltrated?

[sir_montag]

Damn spies, you can never get rid of them! Such backstabbers!

Big deal, I did this too

[commodoresloat]

I infiltrated a phish show once; other than a lot of hippies smoking dope and some weird meandering drone-rock, I'm not sure what the big deal was.

Fill their inbox with crap

[Dwedit]

So if these phishers are using low-tech stuff like Formmail, then you should just autofill their forms with randomly generated bogus personal information for hours on end. It would make it very hard to sort the legitimate data from the trash. Assuming of course that their sites don't store IP information in the email messages.

Only thing to worry about would be getting DDOS'ed by a less clueless phisher.

I am _not_ reading that article...

[dotancohen]

...even though I want to. I read the first page, then saw that it is six full pages, with no Print function. Six pages with about 1:4 content:advertising space. No thanks. I hate C|Net for pioneering the ideas of a paragraph a page, and I won't read Phoronix for the same reason. They will get my ad impressions (and I always click interesting ads on interesting content, to help the webmasters who write the content) when they stop forcing it upon me. It's crap like this that leads to Adblock.

HOSTS file, and plenty more, for securing a PC

"Any chance you'd post that hosts file? I could use it too." - by Anonymous Coward on Monday January 28, @07:44AM You can get one here that has over 28,000 adbanner servers blocked that might house malicious script, and a WHOLE lot more to secure yourself:

HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA:

http://forums.pcpitstop.com/index.php?s=adfdf51b0561d4af950c266aa4e313e8&showtopic=150310

Enjoy the tips/tricks/techniques for securing yourself vs. today's myriad online threats present on the public internet... it all just works!

(... and, it is made far easier + more fun to do, with the CIS Tool (noted in COMPUTERWORLD & other sites online that are reputable, as a GOOD tool for security) acting as your guide, & even making it FUN to do!)

APK

Why not flood the phishing sites with bogus data

[jonwil]

If you feed in enough bogus usernames and passwords, it becomes much harder for the phishers to tell the real ones from the fakes. If the phishers check by IP to prevent this, do it from many different machines with many different IP addresses.

the real story ..

[rs232]

"What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers"

The real story is who built such an 'ecosystem' that makes phishing such a sucessfull enterprise and what imdemnification does the maker of such systems offer the end user."

"They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused"

What end user Operating System do these phishing efforts require in order to me sucessfull. For instance how many phising efforts have been sucessfull on the current Apple Mac OS?

how do they register domain names?

[skinfaxi]

I can see a phisher buying a kit that looks like an ebay or paypal or bank site login page. I can see them buying access to some elementary school's compromised web server and copying their stuff into a directory on it. But how do they make //compromisedneighborhoodschoolserver.org/somefolder/someother/myebaykit/ look like a plausible URL? Don't they have to register something somewhere, leaving a trail behind that could be used to find them? Or do they not bother and assume the victims won't look at the URL?

Tag that mofo

[easyTree]

Yah, so we need a new tag, which can warn others to stay away from clicking to the article due to a blatant attempt to generate ad revenue.

I offer 'adFarming' for starters..

Report Phishing

[infonote]

Let us all report phishing. In Gmail you can report the phishing method. Instead of reporting as SPAM, we should mark as phsihing. In this way phishing can be stopped. The tech people are the key to stopping spam (besides education).