Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Phishers Think, Act, and Make a Profit

Posted by timothy on from the good-laugh-at-your-expense dept.

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

14 of 133 comments (clear)

  1. How is this useful for law-abiding citizens? by Enderandrew · · Score: 4, Interesting

    I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:How is this useful for law-abiding citizens? by davester666 · · Score: 5, Interesting

      Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

      This could result in:
      -fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
      -make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
      -if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:How is this useful for law-abiding citizens? by Anonymous Coward · · Score: 1, Interesting

      A lot of phish sites using php are sending the captured info to email accounts (gmail and yahoo seem to be the most popular).

      While there are times when you can find credit card or login info in txt files stored on a hacked server, I see them using email as a dumping ground more often, and keeping an actual database on the same server as the site is hosted seems far too dumb to be very common.

      As a side note, I try to report these email accounts when I find them and while I can't say what gmail has done with the reports I've sent them, I can say that yahoo has been completely impossible to work with. The last time I tried, I even got a response back but they misunderstood (obviously didn't bother to fully read) my email. Even after going back and forth with them two other times, and trying everything I could to explain it clearly they didn't get it.

      They kept thinking I was trying to report spam I had seen sent to me from a yahoo account and they wanted headers.

    3. Re:How is this useful for law-abiding citizens? by maxume · · Score: 2, Interesting

      So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?

      Probably not.

      --
      Nerd rage is the funniest rage.
    4. Re:How is this useful for law-abiding citizens? by jschottm · · Score: 2, Interesting

      I wish the article had good suggestions for how to prevent phishing attacks.

      But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)

      Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge that they cater to the bad guys? There's not actually enough information in the blog (not that there's supposed to be) to warrant getting on slashdot. There's a bunch of resources available discussing the subject if you really need information on the subject.

    5. Re:How is this useful for law-abiding citizens? by Eskarel · · Score: 2, Interesting
      I really don't think legality is all that much of an issue. You're looking at more risk of them sending hired goons than the police.

      Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

  2. One time... by JimboFBX · · Score: 1, Interesting

    One time I received an e-mail saying my account at a local credit union had been compromised (he was using the university's public ability to look up people to attack their e-mail address). The thing was I didn't have an account at that credit union. I knew it was a phishing scheme, so I clicked the link and intentionally made up a user name said my password was "the FBI is coming". Of course, it went to the next page to re-affirm my personal information.

    I e-mailed the real credit union, told them about it, told them the link, and even who-is'd him for them in the e-mail (it appeared to be an Indian name). They told me they were looking into it. 4 months later I got the same e-mail, same website. A third e-mail showed up next year as well.

    The funny thing is that in the local college newspaper there was a guy who said he'd charge $35 to install Windows Vista on people's computers if they were a college student. Windows Vista was offered for free to individuals of the university, you just had to go download the installer. I called the number on the ad, being pissed off at how he was trying to rip people off, to give him a fake place to show up at. It went to his voice mail.

    He had a thick Indian accent. Same guy? Coincidence? No idea. I ended up not leaving a message.

    I still have the e-mail message. The domain he used is no longer registered to anyone. I hope they nabbed him.

    1. Re:One time... by c0nsole · · Score: 3, Interesting

      Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people, even though they themselves installed the printer via the 'quick setup poster' that came with it when it was new. Trying to show these sorts of people how to do this stuff themselves is an exercise in futility. I doubt the phisher in question would have the know-how to even be able to install Vista anyways...I heard they're quite lazy. :)

  3. I have to know by zappepcs · · Score: 2, Interesting

    The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?

    That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!

    --
    Support NYCountryLawyer RIAA vs People
  4. Re:How to prevent phising attacks. by CDMA_Demo · · Score: 2, Interesting

    Engage brain before clicking.

    I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.

  5. Phishers ain't more techsavvy than the average Joe by Opportunist · · Score: 3, Interesting

    With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

    Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Re:Phishers Are Lazy Because People Are So Dumb by DaveWick79 · · Score: 2, Interesting

    No, it most certainly affects everybody, because if the phisher is good enough he is going to dupe many merchants out of thousands of dollars, and when the credit card companies issue chargebacks, it will put small businesses out of business, take those thousands of dollars out of the hands of the middle class and put them in the hands of some worthless hacker who is probably going to blow it on dope. It has a far reaching effect.

  7. AC? by funkdancer · · Score: 2, Interesting

    How long until some jokester does a phishing attack that submits the info to random slashdot threads?

    --
    ISO certified == THX certified
  8. People who steal are lazy by houghi · · Score: 2, Interesting

    Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.

    OK, end the sarcasm. People who steal want to take a shortcut to the money. They want to have the money with the least possible effort. As the data they stole is not theirs and protecting them will take effort, why would they do it?

    It is as if saying that you are surprised that if people rob your house they make a mess of it. Why would they not?

    --
    Don't fight for your country, if your country does not fight for you.