How Phishers Think, Act, and Make a Profit 133
whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"
How is this useful for law-abiding citizens? (Score:5, Interesting)
I wish the article had good suggestions for how to prevent phishing attacks. Instead, it seems like this article is suggesting I can easily steal already stolen credit-card data.
Re:How is this useful for law-abiding citizens? (Score:5, Interesting)
Offhand, the only 'good' thing you could do would be to hoop the database. If it's poorly secured, you could get it to delete all the current records. If it's more secure, you could fill it with slightly bogus data [like real names and addresses, but phony credit card numbers.
This could result in:
-fills up the drive on the computer it's stored on, which would at least temporarily halt more stupid people from adding their data to it
-make it difficult to filter out good entries from bad. The data is kind of correct, they might have to actually pass it to the credit card company to actually check if it's good or not
-if they can't filter out the bad entries, it makes using the database to do 'bulk' transactions easier for the credit card companies to notice [assuming they put much effort into it instead of just passing the cost onto merchants] as it happens, instead of 30 days later when people complain.
One time... (Score:1, Interesting)
I e-mailed the real credit union, told them about it, told them the link, and even who-is'd him for them in the e-mail (it appeared to be an Indian name). They told me they were looking into it. 4 months later I got the same e-mail, same website. A third e-mail showed up next year as well.
The funny thing is that in the local college newspaper there was a guy who said he'd charge $35 to install Windows Vista on people's computers if they were a college student. Windows Vista was offered for free to individuals of the university, you just had to go download the installer. I called the number on the ad, being pissed off at how he was trying to rip people off, to give him a fake place to show up at. It went to his voice mail.
He had a thick Indian accent. Same guy? Coincidence? No idea. I ended up not leaving a message.
I still have the e-mail message. The domain he used is no longer registered to anyone. I hope they nabbed him.
Re:How is this useful for law-abiding citizens? (Score:1, Interesting)
A lot of phish sites using php are sending the captured info to email accounts (gmail and yahoo seem to be the most popular).
While there are times when you can find credit card or login info in txt files stored on a hacked server, I see them using email as a dumping ground more often, and keeping an actual database on the same server as the site is hosted seems far too dumb to be very common.
As a side note, I try to report these email accounts when I find them and while I can't say what gmail has done with the reports I've sent them, I can say that yahoo has been completely impossible to work with. The last time I tried, I even got a response back but they misunderstood (obviously didn't bother to fully read) my email. Even after going back and forth with them two other times, and trying everything I could to explain it clearly they didn't get it.
They kept thinking I was trying to report spam I had seen sent to me from a yahoo account and they wanted headers.
Re:How is this useful for law-abiding citizens? (Score:2, Interesting)
So the only thing keeping poor Billy from stealing data is that he hasn't thought about it and a timely article on /. is going to push him over the edge?
Probably not.
I have to know (Score:3, Interesting)
The title and summary suggest that phishers are somehow less. Lazy? What, are drug dealers not lazy? Pimps more business savvy?
That is just bothering me. Anyone else think that is just wrong? Lazy? WTF exactly would a non-lazy phisher do? Setup a data center in the Caymans? Seriously!
Re:One time... (Score:3, Interesting)
Re:How to prevent phising attacks. (Score:2, Interesting)
Engage brain before clicking.
I think you proved subtly that we have a Darwinian mechanism at work through phishers and crackers.
Phishers ain't more techsavvy than the average Joe (Score:4, Interesting)
With the advent of MPack and other tools from the RBN, it doesn't take a "hacker" anymore to phish. You buy a toolkit, you buy the exploit, you buy a trojan and the scripts for your server, and off you go. The reason why it's successful is simply that there are people who know less than the attacker about security.
Detach yourself from the idea that phishers are in any way required to be security gurus, or that they're in some way intimate with the inner workings of PCs or networks. Those that know how to code don't attack anymore. They sell their attacking toolkits to others who then conduct the attacks.
Re:Phishers Are Lazy Because People Are So Dumb (Score:3, Interesting)
AC? (Score:2, Interesting)
How long until some jokester does a phishing attack that submits the info to random slashdot threads?
Re:How is this useful for law-abiding citizens? (Score:3, Interesting)
I wish the article had good suggestions for how to prevent phishing attacks.
But it does. Given that the miscreants are apparently posting information into public forums, simply enter your credit card number into a google search from time to time and see if it turns up. (Note for those without a sense of humor: don't do that.)
Seriously, what did you expect from a two paragraph writeup (one of which isn't actually about phishing but sale of CCs) of a talk at a conference that says with a wink and a nudge that they cater to the bad guys? There's not actually enough information in the blog (not that there's supposed to be) to warrant getting on slashdot. There's a bunch of resources [google.com] available discussing the subject if you really need information on the subject.
Re:How is this useful for law-abiding citizens? (Score:3, Interesting)
Remember illegal access to a computer is illegal, but anyone running a database full of stolen credit card numbers is probably not going to call the cops on you, especially since to prove you access the system they'd have to keep it pretty much intact.
Comment removed (Score:3, Interesting)