Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spies In the Phishing Underground

Posted by kdawson on from the rhod-and-rheel dept.

An anonymous reader sends us to Net-Security.org for an interview with security researchers Nitesh Dhanjani and Billy Rios, who recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites turned into an extraordinary tour through the ecosystem that supports the business of phishing. In the interview they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, and discuss how phishers communicate and how they phish each other.

5 of 87 comments (clear)

  1. Duh by Alexx+K · · Score: 2, Interesting

    Rios: This is one of the more surprising aspects of the research we (Nitesh and I) conducted. I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again.

    The situation's the same with botnets, spamming, and malware. Why should things be different? Taking a peak at some phishing sites, there are obviously a great deal of similarities between them. I don't know why this is a revolution to these guys.

    P.s.: Damn, there's a lot of advertising on that site.

    --
    Don't mind the extra X. Alex
    1. Re:Duh by Kristoph · · Score: 4, Interesting

      It is in the best interest of skilled hackers to make these things available to, essentially, anyone.

      In a sea of phishers law enforcement is likely to catch those who have the least amount of skill simply because its easier for them. The time they spend on those cases is less time they have for people who really know what's going on.

  2. Re:Weak article by Idiot+with+a+gun · · Score: 2, Interesting

    I doubt a chat with a phisher would be helpful. It'd probably incredibly dull, and filled with brackets due to typos on their part. Besides, as in most shadow communities, phishers tend to assume you either know everything, or you're a complete idiot to be ignored. I'm willing to bet that you couldn't get a (current) phisher to tell all.

  3. Simple partial solution: by bbyakk · · Score: 3, Interesting

    Make the browser highlight the domain part of the url in bold. Even if this helps just a few users recognize the scam easier it's worth it. Besides, it will somewhat improve usability for regular use as well. I often scan the URL line for to get an idea of what a tab displays, and this will save a few milliseconds of my brain time each time I do it.

  4. Re:Real Security Threat: You by Opportunist · · Score: 2, Interesting

    Yup. The weakest link in computer security is the user. Now, while in companies you might have some administrator who might or might not be actually security conscious and lock down user PCs (as far as he can, due to company policy and program requirements), the average machine in a user's home is horribly insecure. Not because of remote exploits or inherently bad security, but because users are gullible and can easily be tricked into clicking pretty much everything.

    Now, I know a lot of people will claim that you can lock down a system sensibly. No, you cannot. Unless you forbid the user to run whatever code he wants (i.e. let him only run 'signed' code that some signing authority deemed ok), you cannot. The key problem is that you, the maker of the system, cannot decide whether the actions caused by the program are wanted by the user or not. Yes, you can ask the user about every even so trivial thing, but then you're where Vista is: You ask him questions he cannot answer, failing to understand just what you are asking there. Access the registry? Access the internet? I ... dunno?

    Locking away the system and allowing only "user space" programs to run doesn't cut it either. Because most home computers are only used by one person, it does not matter whether you run only for this one person or for the whole system, they're the same.

    So, basically, what security comes down to is user knowledge. Most trojans today use social engineering to get onto a user's PC. They don't use backdoors or exploits, they simply use tricks to have the user open and run them.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.