How Phishers Think, Act, and Make a Profit

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

How is this useful for law-abiding citizens?

[Enderandrew]

I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

Re:

[AceofSpades19]

You can start phishing phishers and get your sweet sweet revenge

Re:How is this useful for law-abiding citizens?

[davester666]

Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

This could result in:
-fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
-make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
-if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

Re:

[xristoph]

that might work... if they're not logging database accesses, which would make it relatively easy to filter out the good data again...

Re:

[davester666]

Maybe, but you could spoof the IP and/or MAC address of the phishing site, and you've got the code the guy is using to update the database, so you could probably get really close to looking like the real phishing site.

Of course, if the phisher is storing the data on some 3rd party guestbook, you may not want throw thousands of entries a second at it...

And this could easily cross over to the illegal side... Technically, it probably is illegal to write bogus entries into a hackers data, as it would be gainin

Re:How is this useful for law-abiding citizens?

[janrinok]

Certainly over here in Europe you will have just committed an offence. The unauthorised access of someone else's computer is illegal, yes, even those computers being used by criminals. There is no "Robin Hood Excuse" that will change the fact that your actions are illegal. Now, as the US has just been successful in claiming the extradition of a British cracker, I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here. Alternatively, you might have been suggesting that all phishers are American and that as long as such actions are contained inside the USA it is all entirely acceptable.

That's one of the problems of being a vigilante, you often have to be a criminal to do what you 'believe' to be justice. It doesn't make the vigilante any better in my eyes.

Re:

[Eskarel]

I really don't think legality is all that much of an issue. You're looking at more risk of them sending hired goons than the police.

Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

Re:How is this useful for law-abiding citizens?

[rapiddescent]

legality is an issue - why should *you* make the judgement on whether that data is in fact stolen - perhaps that data has been placed their by banking regulators/NHTCU using 'honeypot' card numbers so that tracing can occur to recover funds.

A well known Scottish bank (that I used to work at) were well known for chasing money launderers who have (ab)used their systems to the ends of the earth - often spending more than the consequential fraud loss to do so. In the old days, they used to use marked cheques - nowadays they have hotscan products that will trace payments to affiliated payment networks across international borders.

Yeah, breaking into phishing sites is a lot of fun, but before you "drop table", think about your actions and whether you are breaking the computer misuse act (UK) [opsi.gov.uk] or the Police and Justice Act (Scotland) [opsi.gov.uk] or indeed any law from the host nation.

The Gary MacKinnon [wikipedia.org] case has shown that a rather underrated cracker (poking around with Term Services looking for blank passwds -- for FS!) can cause an extradition to a foreign country well known for its human rights abuses - is just shocking.

Re:

[Eskarel]

You might notice I didn't say that doing it was right, or a good idea. What I said was that the consequences you might encounter were unlikely to be legal in nature because criminals don't involve the police in protecting their businesses very often.

Re:How is this useful for law-abiding citizens?

[Fred_A]

Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

There is however a marginal risk that the legitimate owner of the system would notice you instead of the phisher. And call the relevant authorities on you. Which might prove uncomfortable.

Re:

[Noodlenose]

"..I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here."

Wouldn't there be a cue? Or even a rise in hacker related offenses of all those who want to move into an environment devoid of neo-evangelicals, the Homeland Security Agency and -most of all- Americans?

Re:

[d3ac0n]

I'm sure that the US will be equally happy to extradite all those Americans who hack into European criminals' computers to face charges over here.

Maybe...

But it's EUROPE. You guys can only BARELY put away terrorists. People that actually kill innocent bystanders get light sentences. What do you really think will happen to a hacker who hacks a phisher? I suspect that the worst that will happen is that they will bar this hypothetical hacker from entering Europe for a while. Which, since the hypothetical

Re:

[DiamondMX]

Americans, on the other hand have been considering bringing back 'cutting off the hands of the offender' for stealing loaves of bread.

This is useful for law-enforcement agencies.

[ukemike]

It ought to be very useful to the law enforcement agencies such as the FBI. It seems like this kind of access could prove to be very fruitful in busting criminals. I'm not even in IT, but this seems like a no brainer. Look at the script; see where they are storing the stolen data; get a warrant to find the IP of whoever set up the account or whoever accesses it; go to their home with a warrant; and bust them. But perhaps I am expecting too much of our law enforcement agencies since they are so busy tra

Re:

[DiamondMX]

Umm, Robin Hood was a wanted criminal, according to most of the commonly believed lore.
I don't think his excuse *worked*

Re:

[roguetrick]

-get you arrested along with the phisher

Re:

[powerlord]

You can start phishing phishers and get your sweet sweet revenge

Don't think of it as "Phishing Phishers" ... think of it as "Phish Pharming" ;)

Re:How is this useful for law-abiding citizens?

[urcreepyneighbor]

I wish the article had good suggestions for how to prevent phishing attacks.

Super secret information! Don't share with anyone! Majestic Clearance only! [google.com]

Re:

[Enderandrew]

Sorry, I'm terrified of clicking on links for fear of being phished. Perhaps I'll go search on MSN for how to prevent phishing. Oh wait, it says to exclusively use IE and then I'll be magically safe from all phishers!

Now I feel safe and secure!

(Yes, I'm being facetious).

I know I can Google for information on phishing, but why post this article on Slashdot? It seems like the only point of this article is to encourage theft of data. I didn't think that was the norm for the editors here.

Re:

[maxume]

So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?

Probably not.

Re:

[cduffy]

The article increases awareness of a security vulnerability.

Awareness means people can reprioritize how important it is to fix something: ie. if phishers handle private data so carelessly that it can be stolen by more parties than just that initially gathering it (and the party they sell it to), that provides a justification for even more vigilance than would otherwise be used, and a talking point to use when telling people how important it is to be cautious about potential phishing sites.

don't forget the microsoft's Blue Hat

[CDMA_Demo]

and apple's mighty iHat as well

Re:How is this useful for law-abiding citizens?

[LostCluster]

Isn't that the reason they call it "Black Hat" instead of "White Hat"?

Re:

[Majik Sheff]

The conference on phishing and spamming should be called the Ass Hat conference.

Re:

[Gyga]

I think it is gray hats who break the law for ethically okay reasons.

Re:

[Minwee]

Then who are the "Jimmy Hat"s?

Re:

[Clock Nova]

They're what you wear before sleeping with Mr. Bishop's wife and daughter. Never know where them New Reno chicks have been.

Re:

[Enderandrew]

Be careful or you'll get the Gigolo reputation.

Re:

[Darkness404]

Nah, I only break out a Red Hat for the few occasions I work with RPMs. Or when I feel like switching to Fedora for a weekend.

Re:

[kipman725]

your paying for support and guarantees certain things will run oh and the shiny art work ;)

Re:How is this useful for law-abiding citizens?

[teh moges]

This article isn't about that, its about how they think. The information it does have, while brief, is exactly the type of information that I was expecting when I clicked the link.

How to prevent phising attacks.

[Anonymous Coward]

Engage brain before clicking.

Re:

[CDMA_Demo]

Engage brain before clicking.

I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.

Re:

[Darkness404]

Really, most phishing attacks can be stopped with 2 things A) Making sure that it is the correct site and B) Making sure that it is HTTPS and the certificate is valid. If you do those two things, you have a good possibility of not being phished. Now, if the DNS servers gets cracked or other things like that, you might, but for 99.99999 percent of the time, doing those two things should protect you. Oh, and use a decent browser like Firefox.

Re:

[Anonymous Coward]

A lot of phish sites using php are sending the captured info to email accounts (gmail and yahoo seem to be the most popular).

While there are times when you can find credit card or login info in txt files stored on a hacked server, I see them using email as a dumping ground more often, and keeping an actual database on the same server as the site is hosted seems far too dumb to be very common.

As a side note, I try to report these email accounts when I find them and while I can't say what gmail has done with

AC?

[funkdancer]

How long until some jokester does a phishing attack that submits the info to random slashdot threads?

Re:

[dotgain]

We've had worse.

Re:

[jschottm]

I wish the article had good suggestions for how to prevent phishing attacks.

But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)

Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge th

Re:

[Ilgaz]

Already stolen but the data is already known to be stolen. A big difference.

A good way to let FBI come to your house in 10 minutes is using a documented/stolen credit card on a major online site. ;)

Law abiding citizens should use a browser/extension which alerts when they visit phishing site, cough $10 or free opt-in for a "pseudo-random password generator" which will totally make the entire concept of stealing passwords useless. Please check that http://www.phishtank.com/ [phishtank.com] , people spares their free time to

Re:

[ya really]

Let me get you started, 4111 1111 1111 1111. It even passes the mod 10 check!!

Re:

[Daniel Weis]

What's the credit limit on a trout's account? How about a whale?

Re:

[ya really]

Make sure you ask for the mother whale's name (mwn), I hear that's pretty important.

Hmm

[areusche]

Hackers hacking hackers? That's a mouthful! What's next? Bankers banking bankers?

Re:Hmm

[Eudial]

The next logical step would be hackers hacking hacker-hacking hackers.

Re:

[Shajenko42]

Luckily, I have a Trace Buster-Buster-Buster.

Re:Hmm

[Mesa MIke]

Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo [wikipedia.org].

Re:

[Clandestine_Blaze]

Oh yeah? Well I see your smelly Buffalo, and raise you a James while John had had had had had had had had had had had a better effect on the teacher [wikipedia.org]

I wish I knew about this while I was in high school and had to write boring 500 word essays. A few of these and I would be nearly done! :D

Re:

[suggsjc]

Hate to self promote here...but why not buy the book [lulu.com]?

Quite the entertaining read.

Hey!

[Vectronic]

"...[Phishers] basically are lazy"

I'm lazy, maybe I could be a phisher king...

"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."

Shit, I instrinsically fail.

Re:

[cthulu_mt]

The Batman version:

"...Hackers are a cowardly and superstitious lot...also lazy"

Re:

[brunokummel]

"...[Phishers] basically are lazy"

I'm lazy, maybe I could be a phisher king...

"...all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script..."

Shit, I instrinsically fail.

Well ..That's the easier part, since the poster of TFA already figured out the much harder "..." part of the sequence:
1 - Think
2 - ....
3 - Profits

Re:

[halcyon1234]

I'm lazy, maybe I could be a phisher king...

Do they call you John, the Phisher Man?

The Phisher Job Description

[Nymz]

...does involve 'securing' data, just not in the way you think it does.

Phishers Are Lazy Because People Are So Dumb

[curmudgeon99]

How many thousands of times have you received emails from Nigerian Princes and banks you have never heard of? Enough, right, to know that you're an idiot to click on them. Then, add in lazy, persistent, digitally-amplified slackers trolling for information, and you have The Perfect Storm. These lazy phishers are making money because Joe Sixpack and Mary Hausfrau are so utterly stupid. We're doomed.

Re:

[ILuvRamen]

What do you mean "we're" doomed? More like people that dumb are doomed. We're just gonna hit the delete button on those dumb e-mails. Or OMG maybe even look at the status bar to see where links go.

Re:

[kent_eh]

What do you mean "we're" doomed?

I expect he means that large numbers of stupid people doing especially stupid things can cause significant negative effect on the economy.
Or cause draconian reactions from the financial sector and/or governments.

That affects us all.

Re:

[curmudgeon99]

Right on point. If just enough idiots fall for this, they validate the business model for Phishers and then, the chances are higher that one day one of us will receive a notice from a bank where we DO have an account.

Re:

[DaveWick79]

No, it most certainly affects everybody, because if the phisher is good enough he is going to dupe many merchants out of thousands of dollars, and when the credit card companies issue chargebacks, it will put small businesses out of business, take those thousands of dollars out of the hands of the middle class and put them in the hands of some worthless hacker who is probably going to blow it on dope. It has a far reaching effect.

Re:

[McGiraf]

And who end up footing the bill? ... yeah. It raises the cost for everyone else like shoplifting and any kind of fraud does.

Old Hat

[Pandare]

This article is an old Trope. In fact, Confucius once said: "Give a man a fish, he eats once. Teach a man to phish and he gets a post in /."

Re:

[Anonymous Coward]

Confucius say:

There is black hat and white hat, but your sig is just old hat.

Re:Old Hat

[Yvan256]

Give a man fire and he'll be warm for a day. Set him on fire and he'll be warm for the rest of his life.

Re:Old Hat

[Darkness404]

But give a man Ramen Noodles and you don't have to teach him anything.

Re:

[cffrost]

Kick a man in the noodle and he won't ask you for anything.

Re:

[caluml]

A bunch more here [calum.org] :)

One time...

[JimboFBX]

One time I received an e-mail saying my account at a local credit union had been compromised (he was using the university's public ability to look up people to attack their e-mail address). The thing was I didn't have an account at that credit union. I knew it was a phishing scheme, so I clicked the link and intentionally made up a user name said my password was "the FBI is coming". Of course, it went to the next page to re-affirm my personal information.

I e-mailed the real credit union, told them about

Re:

[maxume]

I've gotten phishing emails, notified the registrar (basically, if it makes it past gmail, I take it as being more 'lively') and watched the domain disappear within 48 hours. I don't have any illusions that it must have been my notification that made things work (I've also had registrars act like it isn't any of their business that their clients are pissing in the pool), but getting the domain pulled is the one thing that is going to prevent anything from happening.

Re:

[c0nsole]

Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people,

Re:

[Brain Damaged Bogan]

seems to me he was charging for the service of installing vista, not charging them for vista, hence why he'd only do it "if they were a college student", because they apparently got the licence for free from the college.
not everyone in this world can install an operating system in their sleep.

Re:One time...

[Anonymous Coward]

"even who-is'd him for them in the e-mail (it appeared to be an Indian name).... I called the number on the ad... He had a thick Indian accent. Same guy? Coincidence?"

No way that was a coincidence. I mean, how many Indians are there?

Re:

[ajlisows]

I'm a little disturbed by your post on two levels. The first is that you think charging $35 to install Windows is somehow "Ripping people off". Sure, they let you download the installer for free. How many people, even college students, necessarily know what to do next.

By the time you go through the long Vista install process, download the newest patches, hunt down drivers that didn't get installed automatically, and whatever else you can end up having spent a good 3 hours worth of your time.

Take th

You know, this one time...

[patio11]

... I saw two white guys in a day. And was like, whoa -- are you folks following me?

Then I saw another one. I knew it. Never trust white guys.

-- A white guy (but just because I'm paranoid doesn't mean I'm not out to get me!)

Re:

[JimboFBX]

Because obviously everyone has to nick-pick every fact...

The ripping people off part of the $35 deal is that you can call the university's helpdesk and have them help you for free. Its a service provided by the university. I knew people who worked at it and they flat out said "That's a rip off because we'd help people do that". Secondly, the ad's language carried the implication that for $35 he would TELL you where you could get the installer for Vista (I don't remember the exact words, but I think it wa

Re:

[LMacG]

> Because obviously everyone has to nick-pick every fact...

Umm, yeah, that would be "nit-pick".

Re:

[omuls are tasty]

Apu, there are rumors that you are a Hindu. Is this true?

By the many arms of Vishnu, I swear it is a lie.

Re:

[mcrbids]

Don't take this as an attack. We all make mistakes sometimes.

But wow. Pitiful that you'd think that two people with "fer'n acksents" would be the same guy. As if 5.75 billion of the world's 6 billion people sounded "fer'n".

For a while, I did as you did, although I amped it up a bit. Rather than submit a single form, I reverse-engineered the submission form, then write a PHP shell script to auto-submit random (crap) data into the form with several connections at once. Then I'd fork a hundred or so processes

Re:

[Culture20]

He had a thick Indian accent. Same guy? Coincidence? No idea.

Stop by your Uni's Computer {Science,Technology,Engineering} department, ask to see the graduate student research lab, and count the number of Indian students. They're all there for two-three years, then graduate, and then they get good industry jobs. The chance it's the same guy is really really low.

Apologies to Juvenal

[agendi]

But who phishes the phishers?

I have to know

[zappepcs]

The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?

That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!

Re:

[rootooftheworld]

Yes. Seriously!

The law will protect us!

[Jah-Wren Ryel]

And even worse, they are not protecting their stolen data

Clearly, the answer is to pass a law requiring that phishers disclose all breaches of the personal data they have collected. That will undoubtly shame them into increasing their security to better protect our personal information.

And even worse

[narcberry]

...they aren't protecting it? The fact that my personal information is in the hands of people with intentions of using it, is not as bad as them not protecting it? I'd hate to imagine the kinds of people that might get their hands on my personal information!

Phishers ain't more techsavvy than the average Joe

[Opportunist]

With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

"non-cisco vpn" client?

[vic-traill]

So TFA says that"

An (sic) live exploit was demoed using a non-cisco sslvpn vendor during the session.

I guess I'm not afraid to demonstrate my incompetence before the entire world, but I searched for results in the two months for i) generic ssl vpn fix, ii) nortel ssl vpn fix and iii) microsoft ssl vpn fix, and came up empty handed.

Or are they talking about the Debian OpenSSL key debacle? Or maybe I should drop the "fix". :)

Re:

[Eskarel]

Basically a vpn(virtual private network) is a way of connecting securely to a network remotely. In essence it makes you appear as if you are on the remote network even when you're not.

This like pretty much every other networking task imaginable requires a client(it connects the ssl connection and handles the routing as appropriate).

Cisco makes one, as do a number of other vendors(CheckPoint comes to mind, but only because it's the client I have to use for my work vpn connection).

All they're saying was that

Re:

[widman]

That was for the ActiveX exploit. The SSL man-in-the-middle applies to all SSL VPN vendors and isn't fixable unless they add some extra server authentication.

The Perfect Crime

[v(*_*)vvvv]

Idiots fooling around do all the dirty work, and the serious crooks just snatch all their work without them even knowing it.

I am guessing phishing is risky. I am guessing that only phishing can gather information in such a large scale. If this is true, then while the idiots are getting caught, the really smart people and gaining a ton of really useful information as we speak.

If this is the case, I would be *very* worried.

Comment removed

[account_deleted]

Comment removed based on user account deletion

XLNT BUSNESS OPORTUNITY [sic]

[Crash Culligan]

houghi: Who would have thought such a thing? I thought that people who steal would make specific GUI's for them selves like you see in the movies and do all that other stuff.

Now, now... don't dismiss that sarcasm so easily. We've established that they're lazy and don't pay much attention to security. But you're onto something there, man. We just have to coax the idea into full reality.

Sure, they're lazy. Either they write the minimum code they need to in order to get their job done, or they buy off-the-she

Re:

[justinlee37]

Sell it for ostensibly legitimate purposes on the cheap. Those sort of "hint hint, wink wink" areas of industry that indirectly support the seedier bits make bank.

Re:

[bhtooefr]

Better yet: Make it actually store a database of credit card numbers, names, and addresses... but make it generate the numbers with a random number generator (but make sure they pass checksums,) fake names, and fake addresses. Make it send you the IP address it's running from at all times - that'll give you the most time possible to trace it. Or, if you feel like it, DDoS it, but that's less productive.

In related news ...

[tukang]

How suckers think, act, and lose their shit

How Phishers Think, Act, and Make a Profit:

[Conanymous Award]

1. Hmmm, I want me some profit
2. Somebody set up us the phishing website
3. ???
4. Profit!

They're lazy? No way!

[KenMcM]

Figures that they don't put much effort into securing their data.
The reason these people are phishers is because they're too lazy to obtain and hold a real job. They'd rather just get a bunch of credit card numbers and spend other people's money than have to work for their own. There comes a point where it's not worthwhile to do that when you have to work as hard for your money as everybody else.

(I know, encryption isn't particularly hard work - but it's such a drag to bother with. Let's just rack up some c

dear eve

[wisty]

adam.adamson@gmail.com, p@ssword; betty.bearham@yaho.com, thisismysecret; charlie.chapman@live.com, 1234fdsa;

Yep, it's true

[macraig]

I can attest to the veracity of this Black Hat session: I've been randomly doing this to phishers for at least two years, identifying the site with the script, grabbing it and inspecting it, figuring out the target for the script data, and grabbing the data files themselves. I was doing it to gather evidence in the act of preparing complaints against them.

Re:

[Anonymous Coward]

Yeah, there's something wrong with the world when the trolls are more interesting than the on-topic posts.