Slashdot Mirror
How Phishers Think, Act, and Make a Profit
whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"
I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
If you want credit card numbers, just Google for them. Why bother buying them from a fisher?
Hackers hacking hackers? That's a mouthful! What's next? Bankers banking bankers?
"...[Phishers] basically are lazy"
I'm lazy, maybe I could be a phisher king...
"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."
Shit, I instrinsically fail.
...does involve 'securing' data, just not in the way you think it does.
1. Think 2. Act 3. ??? 4. Profit!
My other UID is lower than this one.
How many thousands of times have you received emails from Nigerian Princes and banks you have never heard of? Enough, right, to know that you're an idiot to click on them. Then, add in lazy, persistent, digitally-amplified slackers trolling for information, and you have The Perfect Storm. These lazy phishers are making money because Joe Sixpack and Mary Hausfrau are so utterly stupid. We're doomed.
This article is an old Trope. In fact, Confucius once said: "Give a man a fish, he eats once. Teach a man to phish and he gets a post in /."
In my experience, most small-scale phishing operations simply email the info to a throw away free email (the email will outlast the site in almost 100% of cases).
One time I received an e-mail saying my account at a local credit union had been compromised (he was using the university's public ability to look up people to attack their e-mail address). The thing was I didn't have an account at that credit union. I knew it was a phishing scheme, so I clicked the link and intentionally made up a user name said my password was "the FBI is coming". Of course, it went to the next page to re-affirm my personal information.
I e-mailed the real credit union, told them about it, told them the link, and even who-is'd him for them in the e-mail (it appeared to be an Indian name). They told me they were looking into it. 4 months later I got the same e-mail, same website. A third e-mail showed up next year as well.
The funny thing is that in the local college newspaper there was a guy who said he'd charge $35 to install Windows Vista on people's computers if they were a college student. Windows Vista was offered for free to individuals of the university, you just had to go download the installer. I called the number on the ad, being pissed off at how he was trying to rip people off, to give him a fake place to show up at. It went to his voice mail.
He had a thick Indian accent. Same guy? Coincidence? No idea. I ended up not leaving a message.
I still have the e-mail message. The domain he used is no longer registered to anyone. I hope they nabbed him.
Engage brain before clicking.
But who phishes the phishers?
I just can't be bothered.
How to profit as a phisher -
1. Think
2. Act
3. ???
4. Profit!
node-def: a tactical hacking sim. Now in open beta.
The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?
That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!
Support NYCountryLawyer RIAA vs People
Um, the article is clearly about social networking sites.
and apple's mighty iHat as well
And even worse, they are not protecting their stolen data
Clearly, the answer is to pass a law requiring that phishers disclose all breaches of the personal data they have collected. That will undoubtly shame them into increasing their security to better protect our personal information.
When information is power, privacy is freedom.
...they aren't protecting it? The fact that my personal information is in the hands of people with intentions of using it, is not as bad as them not protecting it? I'd hate to imagine the kinds of people that might get their hands on my personal information!
Modding me -1 troll doesn't make me wrong.
Phishers
1. Think ...
2. Act
3.
4. Profit!!
You know what they say about opinions. They're all fabulous!
Followed a link in a phishing email, to a fake Paypal home page. Noticed the page wasn't in the root directory of the site, so I went quickly checked out the parent directory. A file in there caught my eye, a text file that began with "cc_". Opening it revealed about a hundred and fifty sets of email addresses, mailing addresses, full names, Paypal passwords, credit card numbers, and secret codes from the back of the credit card.
Sent an email to Paypal. Also sent one to every email address on that list that wasn't obviously phoney, telling them to cancel their credit card, change their Paypal and email account passwords.
The server was located in North Korea, I believe, so there wasn't much that could be done to shut it down. The IP address wasn't registered to a domain name either, so good whois information was out of the question.
Four days later, the site was gone, likely just using another IP address.
Makes me wonder how many other people discovered the list of information and what they decided to do with it.
With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.
Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So TFA says that"
An (sic) live exploit was demoed using a non-cisco sslvpn vendor during the session.
I guess I'm not afraid to demonstrate my incompetence before the entire world, but I searched for results in the two months for i) generic ssl vpn fix, ii) nortel ssl vpn fix and iii) microsoft ssl vpn fix, and came up empty handed.
Or are they talking about the Debian OpenSSL key debacle? Or maybe I should drop the "fix". :)
[17] Leary, T., White, C., Wood, P. R., Bhabha, W. D., and Wirth, N. Lambda calculus considered harmful. In Proceedings
Idiots fooling around do all the dirty work, and the serious crooks just snatch all their work without them even knowing it.
I am guessing phishing is risky. I am guessing that only phishing can gather information in such a large scale. If this is true, then while the idiots are getting caught, the really smart people and gaining a ton of really useful information as we speak.
If this is the case, I would be *very* worried.
How long until some jokester does a phishing attack that submits the info to random slashdot threads?
ISO certified == THX certified
... I saw two white guys in a day. And was like, whoa -- are you folks following me?
Then I saw another one. I knew it. Never trust white guys.
-- A white guy (but just because I'm paranoid doesn't mean I'm not out to get me!)
Help poke pirates in the eyepatch, arr.
Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.
OK, end the sarcasm. People who steal want to take a shortcut to the money. They want to have the money with the least possible effort. As the data they stole is not theirs and protecting them will take effort, why would they do it?
It is as if saying that you are surprised that if people rob your house they make a mess of it. Why would they not?
Don't fight for your country, if your country does not fight for you.
1) Think ...
2)
3) Profit !!!
How suckers think, act, and lose their shit
Yeah, there's something wrong with the world when the trolls are more interesting than the on-topic posts.
1. Hmmm, I want me some profit
2. Somebody set up us the phishing website
3. ???
4. Profit!
Now, now... don't dismiss that sarcasm so easily. We've established that they're lazy and don't pay much attention to security. But you're onto something there, man. We just have to coax the idea into full reality.
Sure, they're lazy. Either they write the minimum code they need to in order to get their job done, or they buy off-the-shelf toolkits that have what they need. If the toolkit is cheap enough, they would gladly spend a little money in order to make a lot of money.
And that's where the fun begins.
Imagine a craigslist advertisement for such a toolkit with a friendly and easy-to-use back-end interface and innocuous-looking login mechanism so nobody can waltz in and steal or contaminate the collected data. The person who sets that up could make a few bucks on the side...or collect the names and addresses and turn the list over to the FBI...or distribute a program that contains some sort of sleeper malware that lies dormant for a while before it springs into action. How bad do you think the problem of software piracy is among those people, hmmm?
Of course, word of mouth won't be enough. We'll have to start sending out advertising emails. Lots of them. And possibly take out advertisements on those websites that cater to that sort of clientelle. After all, running a board like that probably costs money. The operators should be grateful for any recompense they get. Advertising is an excellent way to make money on a website. Big, flashing banner advertisements in noxious colors, telling them that they've won a free copy of PhishPharmrâ and that all they have to do to claim their prize is enter a little personal information.
Just remind yourself that the point of this exercise is education, not necessarily profit. Some people steadfastly refuse to admit what kind of trouble they cause until they get caught it something like it themselves.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
Figures that they don't put much effort into securing their data.
The reason these people are phishers is because they're too lazy to obtain and hold a real job. They'd rather just get a bunch of credit card numbers and spend other people's money than have to work for their own. There comes a point where it's not worthwhile to do that when you have to work as hard for your money as everybody else.
(I know, encryption isn't particularly hard work - but it's such a drag to bother with. Let's just rack up some credit card charges at the nude bar, that's much more enticing)
adam.adamson@gmail.com, p@ssword; betty.bearham@yaho.com, thisismysecret; charlie.chapman@live.com, 1234fdsa;
To sell things like credit cards, they showed a site called vipdump where you can buy a stolen US credit card number for $20 each. Vipdump is just one of hundreds of such sites, all of which use some form of anonymous payment system like egold or WU.
Did they really have to tell you where to buy a credit card? Google VIPDump and hit "I'm feeling lucky". Voila, VipDump.com. I know that most people that are interested in buying credit cards already know where to look, but before this article I didn't know where to look.
It ought to be very useful to the law enforcement agencies such as the FBI. It seems like this kind of access could prove to be very fruitful in busting criminals. I'm not even in IT, but this seems like a no brainer. Look at the script; see where they are storing the stolen data; get a warrant to find the IP of whoever set up the account or whoever accesses it; go to their home with a warrant; and bust them. But perhaps I am expecting too much of our law enforcement agencies since they are so busy tracking all of the millions of Americans on their terrorist watch lists.
What I keep thinking is that if the crooks are this lazy it is because they can be. Nobody is chasing after them. It boggles the mind.
-- QED
Mainly, when I fish, I always use someone elses fishingpole. Wouldn't want my own getting trashed if I happened to catch a barracuda.
Secondly, when I do catch the fish I don't throw it in my freezer just yet. First I throw it in a barrel. You need to clean it up first you see.
Usually I go take a beer or two and come back later when the fish is dead. That way you don't have to get your hands dirty and kill them yourself.
I'm just saying that there's a technique to it. And any phishermen you'll come across will agree on that.
I can attest to the veracity of this Black Hat session: I've been randomly doing this to phishers for at least two years, identifying the site with the script, grabbing it and inspecting it, figuring out the target for the script data, and grabbing the data files themselves. I was doing it to gather evidence in the act of preparing complaints against them.