Spies In the Phishing Underground

An anonymous reader sends us to Net-Security.org for an interview with security researchers Nitesh Dhanjani and Billy Rios, who recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites turned into an extraordinary tour through the ecosystem that supports the business of phishing. In the interview they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, and discuss how phishers communicate and how they phish each other.

And the news is...?

[Opportunist]

So they skimmed botnet servers, scammed scammers, talked with phishers and "infiltrated" their network and got a hand onto phishing kits. Ok. Various AV researchers have done so for at the very least a year now, many for over two years, full time, with a hand deeply in the whole process.

Should I write a book now or something?

Gaining such information is actually not that hard. Many have done that, but the majority so far had the brains to keep their mouth shut about it. First of all, nobody in that scene likes a loudmouth, it makes your work incredibly hard if you talk too much. And second, the last thing we need is more people trying to get into the "market".

But then, as we've read last week, you probably get a trojaned kit anyway. :)

Re:And the news is...?

[hesaigo999ca]

Slightly unfortunate you feel this way. The big wheel spinning is based on the sole fact that the more you perpetuate and stimulate, the more you get challenged. If we all stopped wanting to get involved and being fewer people as you say, then less and less chances for advances would be made.

I think of Bj Franklin and Tesla, without one you wouldn't have gotten the other. Yet had Bj been the same as you, Tesla would never have had the possibility to review his work, and grow from there.

The only thing I think you do raise a point about, is that by bringing ALOT of attention to your work, you bring ALOT of scrutiny. As with M$ vs. Linux, the only reason Linux isn't as vulnerable, is that it isn't as popular. Give it a few more commercial years in the limelight, then we would see alot more *nix viruses.

In ANY COUNTRY, the government controls the commerce.

Not Underground

[mandelbr0t]

The implication in the title is that these "security experts" actually got in with one of the rings. As a matter of fact, they simply downloaded a phishing kit and signed up for a forum. They didn't talk to anyone who wrote one (not that much skill is required in that). They didn't gain access to any dark-nets. They didn't gain access to secure IRC channels. In short, they're just a couple of guys. Their agenda seems clear to me: push the IE anti-phishing UI. They make reference to it (though not by name) twice in TFA:

...the(sic) are abusing a few fundamental flaws such as lack of awareness, lack of standards around browser UI that clearly highlights high assurance websites...

Instead we need to come up with browser UI standards that allow the users to clearly and easily distinguish high assurance domains and websites.

They also talk about the need for a system that works without static identifiers like credit card and social security numbers, though they don't postulate any such system. They claim that writing secure code is secondary to this as-yet unknown system that doesn't use personally identifiable information to identify you. My thoughts: until we figure out how to identify you without using identifiers, maybe we should concentrate on the secure code angle for a while.

Re:Not Underground

[tdwebste]

Static security. Your pin number, id, password, bank bar code, address, birthday, employer, maiden name, SSN, drivers license number. Anything static does not get changed often enough, and people "courts" stupidly trust them as unique ID's. Which is why it is so hard for individuals to clean up after id theft.

Non static,
- key sequence generators which use your initial pin to generate a new pin every few hours/mins/seconds
- challenge protocols, which ask an question and require an appropriate answer
- broadcast / multi-path counter measure against man in the middle

The problem is people are really horrible at both doing manual key sequence generation or challenge protocols. As a result the non static id is generate via some physical thing you hold, which of course can be stolen. But it does make remote theft much harder, and people are much better at handling theft of something physical. High security requires the user must authenticate themselves to the non static id device.

There are many variations on the theme.

Re:Weak article

[Windcatcher]

I doubt a chat with a phisher would be helpful. It'd probably incredibly dull, and filled with brackets due to typos on their part. Besides, as in most shadow communities, phishers tend to assume you either know everything, or you're a complete idiot to be ignored. I'm willing to bet that you couldn't get a (current) phisher to tell all."

It begs the question, in dealing with the phishing community, who are we dealing with -- the uneducated, the merely poor, the greedy, the antisocial, or worse? Is the phishing community an outlet for the antisocial/maladjusted/borderline mentally ill? I'd like to pose the following question: assuming that such people always have and always will exist in the world, is the tech community remiss in taking this into account? When we create a piece of hardware or software, do we need to ask the question, "what if someone with an 'LSD in the reservoir' mentality gets his hands on this?" In connecting the world via the Internet, we've also connected ourselves to every flavor of person we would rather avoid in real life. Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

Re:Weak article

[plover]

Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

This is very much like the "security through obscurity" argument. In security it's always assumed that the bad guys know or can learn the algorithms, weaknesses, etc., everything but the key. In the case of technology such as phishing kits, there may be no reason for a legitimate developer to write such a thing, but there's nothing stopping an unethical person from writing one.

Don't get me wrong: training software engineers in ethics is a good thing. Professionals need to understand their responsibilities. But bad people can't be stopped from writing malicious software. The bar for writing software is already too low, and is getting lower by the day.

Re:Weak article

[Opportunist]

Who you're dealing with is quite simple. A mix of people, as usual. You have the crowd that knows nothing, but wants a piece of the cake. They're mostly harmless. They buy some phishing kit and try to get a few bucks. Usually they're caught. They're much like the average bank robber that goes into a bank with a gun but without a plan.

Then you have the ones that want to try it just to see if they can. They're just as harmless. They just get your ID and then don't do anything about it. Except maybe bragging to their friends, which usually turns into them getting caught when one of their friends decides they don't want to be friends anymore.

And finally you have some well organized groups that actually cause the problem. And there you usually get to see the type of people that you expect from such groups. You have the ones that write the code, usually quite smart people who know their shit and who also get quite a bit of money for their work (I was honestly tempted to switch sides...). Imagine an unemployed top notch programmer in an east europe country and the chance to see 4-5 digits per month, and you know what I mean. Then you have the people who can provide the necessary "hardware", i.e. acquire servers and the necessary connections to keep them running for a few weeks. In smaller groups, this is often the same person who does the coding, but even in this shadow business you notice tendencies to 'outsource' work, i.e. buy kits or hire people to do the server shifting. These are usually not the people you will talk to, unless they have reason to contact you (i.e. when they consider you someone who can get them servers or provide code).

Then you have the people who hire the goons to grab the money and run, and fools with bank accounts. These are usually the ones you will talk to when they try to find someone gullible enough to provide their bank account for transfers. And finally you have the goons that go to Western Union to collect the loot. These are the ones you usually catch when you do a sting. They're much like the average street drug dealer, the lowest on the chain and the ones that are easy to replace. Usually some poor guy, homeless or asylum seeker, is hired for a few pennies to risk it.

So, in general, unless they have good reason to talk to you, you won't get to hear from anyone who is up far enough on the ladder to be interesting.

Re:Weak article

[mrterrysilver]

you missed what i thought was the most interesting point... phishers exploit blacklisted phishing lists because usually all the servers listed are unpatched and still vulnerable. sometimes there's multiple phishers using a box at once.

Re:Weak article

[Antique+Geekmeister]

I'd like to disagree with you on this. There is a threshold involved, that of actually getting someone's fiscal data rather than their home address or telephone number or computer password, that automatically means they are beyond the normal "hacker" exploits. If all you want to do is look around, you can do it with a sense of self restraint that gets you people's personal email or passwords, not their money information.

I'm also afraid that bragging to their friends does not, in fact, usually get them caught. The number of hackers, crackers, phishers, and other people who poke around other's computers seems to consistently be much larger than the number arrested or even caught. Most companies don't bother to pursue such frauds: they just say "is it worth our time and money to track them down? will we get our money back, or will it stop the next round from trying the same stunt", decide it won't, and ignore it as a part of doing business.

Even getting the police involved against the worst crackers and phishers is difficult. Getting police to act across state lines, or worse international borders, is a nightmare of arcane turf wars among governmental security groups who frankly will not bother with small thefts. They can only be convinced to pursue it when the amount exceeds some threshold, which varies from agency to agency and from month to month, but a few thousand stolen from any individual is like losing your wallet on a bus. They just won't bother doing anything about it besides sending you a form letter to fill out, which is promptly ignored.

Re:I have the solution to phishing

[apathy+maybe]

"public, televised floggings for anyone convicted of fraud or petty theft."

Sure, allow the rich fuckers to get away with it, white collar criminals, corporate executives etc.

But as soon as a poor kid steals a chocolate bar, public floggings!

Because, remember, we live in a society where there is only one law, but it is written to punish, not the rich, but only the poor. Any law isn't going to punish anyone who steals millions of dollars, only those who steal hundreds or less.

Re:Duh

[Brad+Eleven]

Excellent point.

Too bad it's not that way in government agencies. My impression is that their dominant mindsets are:

• No use of "not invented here" techniques or technology
  
• We'll never win this "war", the best we can do is to get ourselves promoted
  
• Open software and other new technologies are tools of the enemy
  
• Let's use my cousin Bob's company to get this done
  

I would be surprised and delighted to learn that things are any different at all. Having served in the military, I retain a smug sense of superiority, even though I know that there must be intelligent life in government. It's frustrating to keep finding that we're being taxed and led by selfish, incompetent people.

It's like growing up in a home infested with vermin, where the parents just shrug and say that they can't do anything about it, when it's obvious that they're just spending their money and attention on something else. Their willful ignorance might allow me to get away with whatever I want. The trade-off is finding that my possessions have been gnawed by mice or encountering cockroaches that look at me defiantly when I turn on the light.

As long as they let me alone, I'm OK with it. When they step in and try to suddenly impose discipline, I want to say, "Where were you when I needed you?"

No, the government isn't my parents, but it's been getting closer to the asymptote. Public school has been mandatory since before I was born. Income tax is beyond mandatory. Laws have become more and more restrictive, and we are now being monitored without warrants. That's pretty close to what I remember of my own parents, except that in this case, I own all of the responsibility.

On a national level, it's not as simple as moving out. The analog to running away from home is participation in some underground economy.

Re:Weak article

[easyTree]

In connecting the world via the Internet, we've also connected ourselves to every flavor of person we would rather avoid in real life.

In a sense though, this is a good thing. I'm arguing that complete worldwide social cohesion is required before the world's problems may be solved. If we have isolated (economically, socially) pockets of people who live outside the main body of society (whose members enjoy all the luxuries that the modern world has to offer), they are always going to send raiding parties of one form or another.

Note that in today's world 'exclusive' is seen to be synonymous with 'desireable'. Until the mindset of those in power changes from exclusion-based to inclusion-based, this is going to keep happening. Stop stealing from the poor and forcing them to live in first-world shanty-towns and they will stop stealing your credit card details on the internet, handbags, phones and cars in the street.

Re:Weak article

[umghhh]

I disagree with the low bar (to enter software developer heaven/hell). It is like with anything else: some can do it, some dare do it, some dare not do it and there are some that actually can do it well. ALl these groups may overlap somewhat in different areas of expertise. One can argue that to do pishing etc the bar is low - I can agree with that. Low standards, lack of understanding of basic principles by users and organisations one trusts or has to trust(banks or gov. agencies come to mind) and availability of tools that do the job maybe not well but well enuff makes it all possible to enter the 'hacker' arena for anybody. This has nothing to do with actual engineering. One still can do things well if one wants and finds interested organisations. Of course it is not easy in times in which basic understanding of economy is: difficult and expensive then outsource it to hell and hope for the best. Still the fact that producing software is somehow exempt from any sort of responsibility for the results is a bit awkward and I think may add to lowering barriers to entry.
Methinks.