How Phishers Think, Act, and Make a Profit

← Back to Stories (view on slashdot.org)

How Phishers Think, Act, and Make a Profit

Posted by timothy on Thursday August 7, 2008 @01:29PM from the good-laugh-at-your-expense dept.

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

14 of 133 comments (clear)

How is this useful for law-abiding citizens? by Enderandrew · 2008-08-07 13:43 · Score: 4, Interesting

I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

--
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
1. Re:How is this useful for law-abiding citizens? by urcreepyneighbor · 2008-08-07 13:47 · Score: 5, Informative
  
  I wish the article had good suggestions for how to prevent phishing attacks.
  Super secret information! Don't share with anyone! Majestic Clearance only!
  
  --
  "The fight for freedom has only just begun." - Geert Wilders
2. Re:How is this useful for law-abiding citizens? by LostCluster · 2008-08-07 13:54 · Score: 4, Insightful
  
  Isn't that the reason they call it "Black Hat" instead of "White Hat"?
3. Re:How is this useful for law-abiding citizens? by davester666 · 2008-08-07 14:00 · Score: 5, Interesting
  
  Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.
  This could result in:
  -fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
  -make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
  -if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.
  
  --
  Sleep your way to a whiter smile...date a dentist!
4. Re:How is this useful for law-abiding citizens? by janrinok · 2008-08-07 18:25 · Score: 4, Informative
  
  Certainly over here in Europe you will have just committed an offence. The unauthorised access of someone else's computer is illegal, yes, even those computers being used by criminals. There is no "Robin Hood Excuse" that will change the fact that your actions are illegal. Now, as the US has just been successful in claiming the extradition of a British cracker, I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here. Alternatively, you might have been suggesting that all phishers are American and that as long as such actions are contained inside the USA it is all entirely acceptable.
  That's one of the problems of being a vigilante, you often have to be a criminal to do what you 'believe' to be justice. It doesn't make the vigilante any better in my eyes.
  
  --
  Have a look at soylentnews.org for a different view
5. Re:How is this useful for law-abiding citizens? by rapiddescent · 2008-08-07 19:39 · Score: 4, Insightful
  
  legality is an issue - why should *you* make the judgement on whether that data is in fact stolen - perhaps that data has been placed their by banking regulators/NHTCU using 'honeypot' card numbers so that tracing can occur to recover funds.
  A well known Scottish bank (that I used to work at) were well known for chasing money launderers who have (ab)used their systems to the ends of the earth - often spending more than the consequential fraud loss to do so. In the old days, they used to use marked cheques - nowadays they have hotscan products that will trace payments to affiliated payment networks across international borders.
  Yeah, breaking into phishing sites is a lot of fun, but before you "drop table", think about your actions and whether you are breaking the computer misuse act (UK) or the Police and Justice Act (Scotland) or indeed any law from the host nation.
  The Gary MacKinnon case has shown that a rather underrated cracker (poking around with Term Services looking for blank passwds -- for FS!) can cause an extradition to a foreign country well known for its human rights abuses - is just shocking.
Hey! by Vectronic · 2008-08-07 13:52 · Score: 5, Funny

"...[Phishers] basically are lazy"
I'm lazy, maybe I could be a phisher king...
"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."
Shit, I instrinsically fail.
Re:Hmm by Eudial · 2008-08-07 14:13 · Score: 5, Funny

The next logical step would be hackers hacking hacker-hacking hackers.

--
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
Old Hat by Pandare · 2008-08-07 14:18 · Score: 5, Funny

This article is an old Trope. In fact, Confucius once said: "Give a man a fish, he eats once. Teach a man to phish and he gets a post in /."
1. Re:Old Hat by Yvan256 · 2008-08-07 15:30 · Score: 4, Funny
  
  Give a man fire and he'll be warm for a day. Set him on fire and he'll be warm for the rest of his life.
2. Re:Old Hat by Darkness404 · 2008-08-07 16:24 · Score: 4, Funny
  
  But give a man Ramen Noodles and you don't have to teach him anything.
  
  --
  Taxation is legalized theft, no more, no less.
How to prevent phising attacks. by Anonymous Coward · 2008-08-07 14:35 · Score: 5, Insightful

Engage brain before clicking.
Re:One time... by Anonymous Coward · 2008-08-07 15:52 · Score: 5, Funny

"even who-is'd him for them in the e-mail (it appeared to be an Indian name).... I called the number on the ad... He had a thick Indian accent. Same guy? Coincidence?"
No way that was a coincidence. I mean, how many Indians are there?
You know, this one time... by patio11 · 2008-08-07 17:43 · Score: 4, Funny

... I saw two white guys in a day. And was like, whoa -- are you folks following me?
Then I saw another one. I knew it. Never trust white guys.
-- A white guy (but just because I'm paranoid doesn't mean I'm not out to get me!)

--
Help poke pirates in the eyepatch, arr.