Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spies In the Phishing Underground

Posted by kdawson on from the rhod-and-rheel dept.

An anonymous reader sends us to Net-Security.org for an interview with security researchers Nitesh Dhanjani and Billy Rios, who recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites turned into an extraordinary tour through the ecosystem that supports the business of phishing. In the interview they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, and discuss how phishers communicate and how they phish each other.

3 of 87 comments (clear)

  1. Re:Weak article by Windcatcher · · Score: 4, Insightful

    I doubt a chat with a phisher would be helpful. It'd probably incredibly dull, and filled with brackets due to typos on their part. Besides, as in most shadow communities, phishers tend to assume you either know everything, or you're a complete idiot to be ignored. I'm willing to bet that you couldn't get a (current) phisher to tell all."

    It begs the question, in dealing with the phishing community, who are we dealing with -- the uneducated, the merely poor, the greedy, the antisocial, or worse? Is the phishing community an outlet for the antisocial/maladjusted/borderline mentally ill? I'd like to pose the following question: assuming that such people always have and always will exist in the world, is the tech community remiss in taking this into account? When we create a piece of hardware or software, do we need to ask the question, "what if someone with an 'LSD in the reservoir' mentality gets his hands on this?" In connecting the world via the Internet, we've also connected ourselves to every flavor of person we would rather avoid in real life. Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

  2. Re:Weak article by plover · · Score: 4, Insightful

    Does there need to be a shift in the way we view our responsibilities as tech authors/creators?

    This is very much like the "security through obscurity" argument. In security it's always assumed that the bad guys know or can learn the algorithms, weaknesses, etc., everything but the key. In the case of technology such as phishing kits, there may be no reason for a legitimate developer to write such a thing, but there's nothing stopping an unethical person from writing one.

    Don't get me wrong: training software engineers in ethics is a good thing. Professionals need to understand their responsibilities. But bad people can't be stopped from writing malicious software. The bar for writing software is already too low, and is getting lower by the day.

    --
    John
  3. Re:Weak article by Opportunist · · Score: 5, Insightful

    Who you're dealing with is quite simple. A mix of people, as usual. You have the crowd that knows nothing, but wants a piece of the cake. They're mostly harmless. They buy some phishing kit and try to get a few bucks. Usually they're caught. They're much like the average bank robber that goes into a bank with a gun but without a plan.

    Then you have the ones that want to try it just to see if they can. They're just as harmless. They just get your ID and then don't do anything about it. Except maybe bragging to their friends, which usually turns into them getting caught when one of their friends decides they don't want to be friends anymore.

    And finally you have some well organized groups that actually cause the problem. And there you usually get to see the type of people that you expect from such groups. You have the ones that write the code, usually quite smart people who know their shit and who also get quite a bit of money for their work (I was honestly tempted to switch sides...). Imagine an unemployed top notch programmer in an east europe country and the chance to see 4-5 digits per month, and you know what I mean. Then you have the people who can provide the necessary "hardware", i.e. acquire servers and the necessary connections to keep them running for a few weeks. In smaller groups, this is often the same person who does the coding, but even in this shadow business you notice tendencies to 'outsource' work, i.e. buy kits or hire people to do the server shifting. These are usually not the people you will talk to, unless they have reason to contact you (i.e. when they consider you someone who can get them servers or provide code).

    Then you have the people who hire the goons to grab the money and run, and fools with bank accounts. These are usually the ones you will talk to when they try to find someone gullible enough to provide their bank account for transfers. And finally you have the goons that go to Western Union to collect the loot. These are the ones you usually catch when you do a sting. They're much like the average street drug dealer, the lowest on the chain and the ones that are easy to replace. Usually some poor guy, homeless or asylum seeker, is hired for a few pennies to risk it.

    So, in general, unless they have good reason to talk to you, you won't get to hear from anyone who is up far enough on the ladder to be interesting.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.