Phishing Group Caught Stealing From Other Phishers

An anonymous reader writes "Netcraft has written about a website offering free phishing kits with one ironic twist — they all contain backdoors to steal stolen credentials from the fraudsters that deploy them. Deliberately deceptive code inside the kits means that script kiddies are unlikely to realize that any captured credit card numbers also end up getting sent to the people who made the phishing kits. The same group was also responsible for another backdoored phishing kit used against Bank of America earlier this month."

How times have changed: you can't trust.....wait!

[whoever57]

But seriously, this is good news! It is always good news (for law-abiding people) when crooks start feeding off each other.

Re:How times have changed: you can't trust.....wai

[cortesoft]

Except they are actually double feeding off innocent people.... some poor chap's info gets stolen by both the guy who deployed the phishing kit and the guy who wrote it.... which means its probably at least twice as likely to get used for fraud.

This is really sad..

[DigitAl56K]

.. you just can't trust malware anymore!

Really though, this is nothing new. IIRC, some builds of Sub7 [wikipedia.org] had a reverse backdoor (not covered in the wiki article), as well as a master password that let the Sub7 crew take over a server (covered by the wiki article), and some builds even included hard drive killer when the master password was in use.

Just what is stopping law enforcement?

[swb]

Don't you ever wonder why there have been so few significant arrests of spammers/phishers/etc?

Isn't it trivial for a government agency like the FBI or Treasury to track payments charged to any kind of electronic banking back to the recipient? Wouldn't an investigation "following the money" ultimately lead you to either the thief or at least greatly disrupt his activities? At a minimum it would expose the people that made their transactions work (banks, hosting companies, other otherwise "normal" business people).

A couple of decent RICO prosecutions and you would drive this stuff out of the United States and greatly reduce the scale of it.

But it never happens, and I can only think that somehow the government has somehow turned these people into some espionage rabbit hole and high level prosecutions would disrupt intelligence gathering. Because there is little reason the government couldn't do something about it if they wanted to.

Phishing...

[Derek Loev]

It's amazing how many large websites are so vulnerable to even basic attacks. SQL Injection is still rampant (a simple well devised Google search can show you that) and many corporations leave credit card numbers unencrypted. Somebody with basic knowledge of SQL could attack a large amount of organizations without any trouble. I've seen this happen to too many people for me to ever trust important information on smaller sites.

Re:How times have changed: you can't trust.....wai

[morethanapapercert]

There is one slight flaw with that plan. How does a victim know when to give the trojan CC# and when to give the real one? The whole point of fishing is to look as safe and legit as possible*. If, for example, my mother-in-law from Mr. BadGuy Phisher gets an email offering (of all things) heavily discounted embroidery pattern files for her embroidery machine. She thinks he really has such files for sale, she actually does want the product, so she provides her real CC# and not the false one. Now, this is a woman who is keenly aware of the potential for credit card fraud and identity theft. I have seen her save all of her receipts and manual charge slips in a shopping bag so her husband can burn them out in the shop. She is convinced that Bad Men are rooting through trash to collect CC's and banking info. She is convinced that these Bad Men are somehow able to access her account based on the string of numbers that appear on the receipt when she uses her debit card.
  Yet, despite this paranoia, she still buys hordes of knick-knacks, limited edition "collectibles", sewing supplies and such on EBay. Paypal being too scary for her, she uses her CC to pay for all of that. Try as I might, I can't seem to persuade her that a person in CA selling cutesy crocheted animal sweaters could be a Bad Man just as easily as some person rooting through her trash. As for email based scams; well, I set up her email client to reject anyone not already in her address book and have trained her in the habit of sending the initial email to them, rather than waiting until she gets one. As a major side benefit for me, it has drastically cut down the number of "cute", "humorous" or "inspirational" forwards she sends me.

*The bar to appear safe and legit enough for some users can be staggeringly low. Lets face it, there are always going to be some stupid people around.

Re:Script kiddies?

[DigitAl56K]

This is pretty much the correct usage.

From Wikipedia [wikipedia.org]:

In hacker culture, a script kiddie (occasionally script bunny, skidie, script kitty, script-running juvenile (SRJ), or similar) is a derogatory term used for an inexperienced malicious cracker who uses programs developed by others to attack computer systems, and deface websites. It is generally assumed that script kiddies are kids who lack the ability to write sophisticated hacking programs on their own,[1] and that their objective is to try to impress their friends or gain credit in underground cracker communities.

And that's exactly what's happening.

Re:How times have changed: you can't trust.....wai

[morcego]

Personally, I still want to see financial institutions implement a system where you can get trojan account numbers to give to the phishers that appear just like real numbers. If the phisher uses them, immediately the institution knows to look for fraudulent activity from that source.

One of my ATM cards has 2 different pin numbers. If I use the alternative one, the transaction is completed normally (so no one on the spot gets wiser), but the institution will flag it and notify the police at once, providing my identity and location. I have to pay a little extra for eat (about US$ 3/month), but it is well worth it. It is considered (and marketed as) an insurance. I have this since 1996, and I'm happy to say I never needed.

So yes, the banks know this kind of thing can be done. I wonder why other institutions don't do it or even why this is not mandatory for all cards.

I really don't mind the extra US$ 3/month for this service.

Re:How times have changed: you can't trust.....wai

[mh1997]

they aren't really feeding off each other, just more off YOU. Both thieves get a crack at your cc#. Would you rather have rung up $4000 on your card, or $8000?

It really does not matter how much is fraudulantly charged on my credit card. I am not responsible for either amount.

Looking at the larger picture, I want as small amount of fraud as possible because the cost of goods will be cheaper. Somebody has to recoup that $4000 or $8000 in your example, but what happens, everyone pays for fraud, but spread out over every purchase made, it is probably lower than the sales tax you pay on each individual transaction.

For what it's worth, I have found a way to never have my credit card info stolen - I use cash. For you conspiracy minded people out there, my purchases are not trackable. Even better, the amount of debt I have is $0 which comes out to $0 per month in interest with a grand total of $0 per year. You'd also be amazed at the businesses (big box stores and little local stores) that will give you a discount for cash if you ask.

Re:How times have changed: you can't trust.....wai

[Zeinfeld]

Problem is, they're not feeding on each other; the feeding order is not circular, but rather pyramidal. The smart and resourceful ones get even richer through the bottom-feeders' "work".

Exactly, in the chat rooms the criminals are far more worried about each other than the forces of law and order. OK they are concerned that the person might be from a security company (our guys) or a police officer. But they are rather more angry about 'rippers' -criminals who take the money but never deliver the goods or take goods and don't pay for them.

In the shadowcrew organization about a third of the management team was occupied as enforcers. In fact that is how they got caught, they ended up in a turf war and someone turned them in to police.

As in all criminal organizations the guys at the bottom get chicken feed. All the money flows up the pyramid, just like the Sopranos. A street drug dealer is likely to be in prison of dead in two to three years on average and makes less than minimum wage. The typical botnet herder makes less than they would flipping burgers. All the money flows up.