Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Phishers Think, Act, and Make a Profit

Posted by timothy on from the good-laugh-at-your-expense dept.

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

42 of 133 comments (clear)

  1. How is this useful for law-abiding citizens? by Enderandrew · · Score: 4, Interesting

    I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
    1. Re:How is this useful for law-abiding citizens? by AceofSpades19 · · Score: 2, Funny

      You can start phishing phishers and get your sweet sweet revenge

    2. Re:How is this useful for law-abiding citizens? by urcreepyneighbor · · Score: 5, Informative

      I wish the article had good suggestions for how to prevent phishing attacks.

      Super secret information! Don't share with anyone! Majestic Clearance only!

      --
      "The fight for freedom has only just begun." - Geert Wilders
    3. Re:How is this useful for law-abiding citizens? by LostCluster · · Score: 4, Insightful

      Isn't that the reason they call it "Black Hat" instead of "White Hat"?

    4. Re:How is this useful for law-abiding citizens? by davester666 · · Score: 5, Interesting

      Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

      This could result in:
      -fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
      -make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
      -if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

      --
      Sleep your way to a whiter smile...date a dentist!
    5. Re:How is this useful for law-abiding citizens? by teh+moges · · Score: 3, Insightful

      This article isn't about that, its about how they think. The information it does have, while brief, is exactly the type of information that I was expecting when I clicked the link.

    6. Re:How is this useful for law-abiding citizens? by Gyga · · Score: 2, Informative

      I think it is gray hats who break the law for ethically okay reasons.

      --
      I don't preview or spellcheck.
    7. Re:How is this useful for law-abiding citizens? by maxume · · Score: 2, Interesting

      So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?

      Probably not.

      --
      Nerd rage is the funniest rage.
    8. Re:How is this useful for law-abiding citizens? by davester666 · · Score: 3, Informative

      Maybe, but you could spoof the IP and/or MAC address of the phishing site, and you've got the code the guy is using to update the database, so you could probably get really close to looking like the real phishing site.

      Of course, if the phisher is storing the data on some 3rd party guestbook, you may not want throw thousands of entries a second at it...

      And this could easily cross over to the illegal side... Technically, it probably is illegal to write bogus entries into a hackers data, as it would be gaining improper access to a companies information [probably some federal statue].

      --
      Sleep your way to a whiter smile...date a dentist!
    9. Re:How is this useful for law-abiding citizens? by janrinok · · Score: 4, Informative

      Certainly over here in Europe you will have just committed an offence. The unauthorised access of someone else's computer is illegal, yes, even those computers being used by criminals. There is no "Robin Hood Excuse" that will change the fact that your actions are illegal. Now, as the US has just been successful in claiming the extradition of a British cracker, I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here. Alternatively, you might have been suggesting that all phishers are American and that as long as such actions are contained inside the USA it is all entirely acceptable.

      That's one of the problems of being a vigilante, you often have to be a criminal to do what you 'believe' to be justice. It doesn't make the vigilante any better in my eyes.

      --
      Have a look at soylentnews.org for a different view
    10. Re:How is this useful for law-abiding citizens? by jschottm · · Score: 2, Interesting

      I wish the article had good suggestions for how to prevent phishing attacks.

      But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)

      Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge that they cater to the bad guys? There's not actually enough information in the blog (not that there's supposed to be) to warrant getting on slashdot. There's a bunch of resources available discussing the subject if you really need information on the subject.

    11. Re:How is this useful for law-abiding citizens? by Eskarel · · Score: 2, Interesting
      I really don't think legality is all that much of an issue. You're looking at more risk of them sending hired goons than the police.

      Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

    12. Re:How is this useful for law-abiding citizens? by rapiddescent · · Score: 4, Insightful

      legality is an issue - why should *you* make the judgement on whether that data is in fact stolen - perhaps that data has been placed their by banking regulators/NHTCU using 'honeypot' card numbers so that tracing can occur to recover funds.

      A well known Scottish bank (that I used to work at) were well known for chasing money launderers who have (ab)used their systems to the ends of the earth - often spending more than the consequential fraud loss to do so. In the old days, they used to use marked cheques - nowadays they have hotscan products that will trace payments to affiliated payment networks across international borders.

      Yeah, breaking into phishing sites is a lot of fun, but before you "drop table", think about your actions and whether you are breaking the computer misuse act (UK) or the Police and Justice Act (Scotland) or indeed any law from the host nation.

      The Gary MacKinnon case has shown that a rather underrated cracker (poking around with Term Services looking for blank passwds -- for FS!) can cause an extradition to a foreign country well known for its human rights abuses - is just shocking.

    13. Re:How is this useful for law-abiding citizens? by Fred_A · · Score: 3, Insightful

      Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

      There is however a marginal risk that the legitimate owner of the system would notice you instead of the phisher. And call the relevant authorities on you. Which might prove uncomfortable.

      --

      May contain traces of nut.
      Made from the freshest electrons.
  2. Hmm by areusche · · Score: 2, Funny

    Hackers hacking hackers? That's a mouthful! What's next? Bankers banking bankers?

    1. Re:Hmm by Eudial · · Score: 5, Funny

      The next logical step would be hackers hacking hacker-hacking hackers.

      --
      GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
    2. Re:Hmm by Mesa+MIke · · Score: 3, Funny

      Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo.

    3. Re:Hmm by Shajenko42 · · Score: 2, Funny

      Luckily, I have a Trace Buster-Buster-Buster.

    4. Re:Hmm by Clandestine_Blaze · · Score: 3, Funny

      Oh yeah? Well I see your smelly Buffalo, and raise you a James while John had had had had had had had had had had had a better effect on the teacher

      I wish I knew about this while I was in high school and had to write boring 500 word essays. A few of these and I would be nearly done! :D

      --
      Best "String" Ever!
  3. Hey! by Vectronic · · Score: 5, Funny

    "...[Phishers] basically are lazy"

    I'm lazy, maybe I could be a phisher king...

    "...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."

    Shit, I instrinsically fail.

  4. The Phisher Job Description by Nymz · · Score: 3, Funny

    ...does involve 'securing' data, just not in the way you think it does.

  5. Old Hat by Pandare · · Score: 5, Funny

    This article is an old Trope. In fact, Confucius once said: "Give a man a fish, he eats once. Teach a man to phish and he gets a post in /."

    1. Re:Old Hat by Anonymous Coward · · Score: 2, Funny

      Confucius say:

      There is black hat and white hat, but your sig is just old hat.

    2. Re:Old Hat by Yvan256 · · Score: 4, Funny

      Give a man fire and he'll be warm for a day. Set him on fire and he'll be warm for the rest of his life.

    3. Re:Old Hat by Darkness404 · · Score: 4, Funny

      But give a man Ramen Noodles and you don't have to teach him anything.

      --
      Taxation is legalized theft, no more, no less.
  6. Re:Google by ya+really · · Score: 2, Funny

    Let me get you started, 4111 1111 1111 1111. It even passes the mod 10 check!!

  7. How to prevent phising attacks. by Anonymous Coward · · Score: 5, Insightful

    Engage brain before clicking.

    1. Re:How to prevent phising attacks. by CDMA_Demo · · Score: 2, Interesting

      Engage brain before clicking.

      I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.

  8. I have to know by zappepcs · · Score: 2, Interesting

    The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?

    That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!

    --
    Support NYCountryLawyer RIAA vs People
  9. Re:One time... by c0nsole · · Score: 3, Interesting

    Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people, even though they themselves installed the printer via the 'quick setup poster' that came with it when it was new. Trying to show these sorts of people how to do this stuff themselves is an exercise in futility. I doubt the phisher in question would have the know-how to even be able to install Vista anyways...I heard they're quite lazy. :)

  10. The law will protect us! by Jah-Wren+Ryel · · Score: 2, Funny

    And even worse, they are not protecting their stolen data

    Clearly, the answer is to pass a law requiring that phishers disclose all breaches of the personal data they have collected. That will undoubtly shame them into increasing their security to better protect our personal information.

    --
    When information is power, privacy is freedom.
  11. And even worse by narcberry · · Score: 3, Funny

    ...they aren't protecting it? The fact that my personal information is in the hands of people with intentions of using it, is not as bad as them not protecting it? I'd hate to imagine the kinds of people that might get their hands on my personal information!

    --
    Modding me -1 troll doesn't make me wrong.
  12. Re:One time... by Anonymous Coward · · Score: 5, Funny

    "even who-is'd him for them in the e-mail (it appeared to be an Indian name).... I called the number on the ad... He had a thick Indian accent. Same guy? Coincidence?"

    No way that was a coincidence. I mean, how many Indians are there?

  13. Phishers ain't more techsavvy than the average Joe by Opportunist · · Score: 3, Interesting

    With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

    Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Re:Phishers Are Lazy Because People Are So Dumb by DaveWick79 · · Score: 2, Interesting

    No, it most certainly affects everybody, because if the phisher is good enough he is going to dupe many merchants out of thousands of dollars, and when the credit card companies issue chargebacks, it will put small businesses out of business, take those thousands of dollars out of the hands of the middle class and put them in the hands of some worthless hacker who is probably going to blow it on dope. It has a far reaching effect.

  15. The Perfect Crime by v(*_*)vvvv · · Score: 2, Insightful

    Idiots fooling around do all the dirty work, and the serious crooks just snatch all their work without them even knowing it.

    I am guessing phishing is risky. I am guessing that only phishing can gather information in such a large scale. If this is true, then while the idiots are getting caught, the really smart people and gaining a ton of really useful information as we speak.

    If this is the case, I would be *very* worried.

  16. AC? by funkdancer · · Score: 2, Interesting

    How long until some jokester does a phishing attack that submits the info to random slashdot threads?

    --
    ISO certified == THX certified
  17. You know, this one time... by patio11 · · Score: 4, Funny

    ... I saw two white guys in a day. And was like, whoa -- are you folks following me?

    Then I saw another one. I knew it. Never trust white guys.

    -- A white guy (but just because I'm paranoid doesn't mean I'm not out to get me!)

    --
    Help poke pirates in the eyepatch, arr.
  18. People who steal are lazy by houghi · · Score: 2, Interesting

    Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.

    OK, end the sarcasm. People who steal want to take a shortcut to the money. They want to have the money with the least possible effort. As the data they stole is not theirs and protecting them will take effort, why would they do it?

    It is as if saying that you are surprised that if people rob your house they make a mess of it. Why would they not?

    --
    Don't fight for your country, if your country does not fight for you.
  19. Re:"non-cisco vpn" client? by Eskarel · · Score: 2, Informative
    Basically a vpn(virtual private network) is a way of connecting securely to a network remotely. In essence it makes you appear as if you are on the remote network even when you're not.

    This like pretty much every other networking task imaginable requires a client(it connects the ssl connection and handles the routing as appropriate).

    Cisco makes one, as do a number of other vendors(CheckPoint comes to mind, but only because it's the client I have to use for my work vpn connection).

    All they're saying was that one of the vpn client vendors has a bug which allows an exploit of some description. If you don't have one, don't worry about it, if you do have one check yours and don't worry about anyone elses.

  20. How Phishers Think, Act, and Make a Profit: by Conanymous+Award · · Score: 2, Funny

    1. Hmmm, I want me some profit
    2. Somebody set up us the phishing website
    3. ???
    4. Profit!

  21. Re:One time... by LMacG · · Score: 2, Funny

    > Because obviously everyone has to nick-pick every fact...

    Umm, yeah, that would be "nit-pick".

    --
    Slightly disreputable, albeit gregarious