Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Phishers Think, Act, and Make a Profit

Posted by timothy on from the good-laugh-at-your-expense dept.

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

4 of 133 comments (clear)

  1. How is this useful for law-abiding citizens? by Enderandrew · · Score: 4, Interesting

    I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:How is this useful for law-abiding citizens? by davester666 · · Score: 5, Interesting

      Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

      This could result in:
      -fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
      -make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
      -if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Re:One time... by c0nsole · · Score: 3, Interesting

    Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people, even though they themselves installed the printer via the 'quick setup poster' that came with it when it was new. Trying to show these sorts of people how to do this stuff themselves is an exercise in futility. I doubt the phisher in question would have the know-how to even be able to install Vista anyways...I heard they're quite lazy. :)

  3. Phishers ain't more techsavvy than the average Joe by Opportunist · · Score: 3, Interesting

    With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

    Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.