Forgot your password?
typodupeerror
Security

Web Fraud 2.0 — Point-and-Click Cracking Tools 92

Posted by kdawson
from the getting-too-easy dept.
An anonymous reader writes "The Washington Post's Security Fix blog is running a fascinating series that peers inside some of the Web-based services cyber crooks are using to ply their trade: from masking their identity, to defeating CAPTCHAs, to creating counterfeit documents and validating stolen credit and debit cards. Everyone familiar with this space hears about these kinds of tools and services all the time in the abstract, but the Post blog includes screen shots and background details on the popularity of the services and how each one is helping to bring cyber crime that much closer to the realm of even the most newbie scam artists." Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.
This discussion has been archived. No new comments can be posted.

Web Fraud 2.0 — Point-and-Click Cracking Tools

Comments Filter:
  • by introspekt.i (1233118) on Tuesday August 26, 2008 @02:10PM (#24754059)

    Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.

    Damn. And here I was looking for fraud tools in Klingon. No wonder I can't ever find anything.

  • by ghoti (60903)

    Many of these tools require a working knowledge of Russian. Wouldn't surprise me to learn that Chinese-language tools exist too.

    Way to throw around those stereotypes! I bet they all run on Windows, too! Windows - the first choice for crooks and scammers!

    • by Jack9 (11421) on Tuesday August 26, 2008 @02:17PM (#24754165)

      Except it isn't a stereotype...it's a statistical certainty. Wouldn't surprise me to learn that English-language tools exist too?
      See how stereotype doesn't apply? Probably not.

      • by Anonymous Coward on Tuesday August 26, 2008 @02:35PM (#24754415)

        The stereotype doesn't imply that the statement is wrong, but why was that statement made about Chinese and not English tools? According to the Spam origin data, English tools are a lot more likely then Chinese tools, so while in itself not wrong the decision to focus on one correct statement while omitting another correct statement speaks of bias and creates an incorrect impression to the casual reader (and if you know the data then you don't need news articles in the first place).

      • English pointy clicky tools like this certainly do exist and certainly pre-date any Russian or Chinese tools; when was SATAN first developed? Remember SATAN? Security Analysis Tool for Analyzing Networks was I think the name.... I don't remember the year but it was long before the current wave of Russian script kiddie gangsters....

        • Re: (Score:2, Funny)

          by Anonymous Coward

          Offtopic, but I'm glad to learn that there's at least one other person out there who shares my view that santa == satan.

          • by commodoresloat (172735) * on Tuesday August 26, 2008 @05:15PM (#24756589)

            heheh... I don't recall the backstory behind this, but SATAN actually distributed for a while with a utility called "SANTA" that would change the name of the tool (and all references in the docs and so forth) from "Security Analysis Tool for Analyzing Networks" to something like "Security Analysis Network Tool for Administration" in order to get rid of the potentially disturbing acronym.

        • by T3Tech (1306739)

          I recall seeing it in the mid 90's... ah, according to wikipedia it was released in 95, and on freshmeat it showed up in 2000, last update being in 2006. I also remember SAINT, which came out in 98, but I'm more familiar with Nessus which also first came out in 98.

        • by julesh (229690)

          English pointy clicky tools like this certainly do exist and certainly pre-date any Russian or Chinese tools; when was SATAN first developed?

          Except, well, no.

          The two aren't really comparable. SATAN is a tool designed to fulfil a perfectly legitimate purpose, which happens to also be able to do some things that aren't exactly legal.

          These tools are (mostly, at least) things that have no legitimate purpose. What's the legitimate purpose behind a service to provide forged ID? A marketplace for stolen credit

      • It is a classic example of a stereotype, and I can't believe that a comment saying that it isn't so is modded as insightful. It is a stereotype that many cybercrimes are committed by Russians and Chinese and kdawkins is obviously affected by it. It is incidental in this case that the stereotype is not even true, as just as much, and probably much more online nastiness is coming from USA.

        What if he said "many burglaries are committed by blacks, I bet many are also committed by latinos" while not mentioning
      • by BPPG (1181851)

        Many years ago, English was once thought to be the universal hacking language. Of course, not just focused around malicious hacking...

    • Re: (Score:3, Informative)

      by Anonymous Coward

      http://www.spamhaus.org/statistics/countries.lasso

      1 United States 1571
      2 China 428
      3 Russian Federation 305
      4 South Korea 197
      5 Germany 180
      6 United Kingdom 180
      7 France 177
      8 India 153
      9 Japan 147
      10 Brazil 147

      In other words, the US beats the next 7 countries combined, Germany, France and the UK together beat China and every two of them beat Russia.

      We'd be a lot better at fighting the bad guys if we wouldn't assume that "we" are the good guys.

      • Re:Holy Stereotypes! (Score:4, Informative)

        by Anonymous Coward on Tuesday August 26, 2008 @02:31PM (#24754353)

        http://www.spamhaus.org/statistics/spammers.lasso

          1 HerbalKing India
          2 Vincent Chan / yoric.net Hong Kong
          3 Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov Ukraine
          4 Nikhil Kumar Pragji / Dark-Mailer Australia
        Queensland
          5 Ruslan Ibragimov / send-safe.com Russian Federation
          6 Leo Kuvayev / BadCow Russian Federation
          7 Pavka / Artofit Russian Federation
          8 Russian Business Network Russian Federation
          9 Yambo Financials Ukraine
        10 Alexey Panov - ckync.com Russia

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Register of *known* Spammers. I'd expect the much better/less bribe-able police services in the US would encourage Spammers there to stay much deeper underground...

      • Re: (Score:3, Interesting)

        by palegray.net (1195047)
        This data looks good until you consider the fact that a major profit center for certain Chinese nationals is the practice of compromising huge numbers of servers hosted outside China, for the purpose of sending SPAM that won't be stopped by GeoIP restrictions.

        Who's making assumptions now?
      • Re: (Score:3, Informative)

        by ahabswhale (1189519)

        Utterly meaningless statistic. Foreign spammers know that their spam must originate from the U.S. or it has an almost 0% chance of reaching American mailboxes. Consequently, they search constantly for server and user machines in the U.S. they can easily compromise.

      • Re: (Score:3, Insightful)

        by Colonel Korn (1258968)

        The botnets that send those spam messages from the Unites States are controlled by Russia(ns). Remember the news a few weeks ago when Russia invaded Georgia and 80% of the world's spam stopped while the botnets switched to attacking the Georgian government's web page?

      • One of the golden rules of cracking/stealing online, is to avoid cracking machines, or ripping people off in your own country.

        Assuming that the authorities are making at least a token effort and regularly take the 'low hanging fruit' off the streets, I imagine it would skew the remaining pool of scum and villainry towards people who actually know what they're doing and have some idea of how to avoid getting caught.

        Russia and China also have a major attitude problem viz the West in general, and the US in par

  • by ColdWetDog (752185) * on Tuesday August 26, 2008 @02:11PM (#24754073) Homepage
    Finally, a use for all the Russian courses I took in high school and college.
  • It won't help with intangible goods and isn't practical with gift items, but stores that ship tangible goods can require that the shipping address be the same as the billing address and verify the billing address against information held by the credit card company.

    Even verifying only the postal code will make it hard for me to order a computer using your credit card if I'm not prepared to visit your locale to take delivery.

    Another technique is to allow exceptions but only if a person picks up the item at th

    • Re: (Score:3, Informative)

      by snowraver1 (1052510)
      To me, this is a problem for the Credit Card companies to fix. I think that some companies offer this already, but there should be a service that is included in the credit card that you can to to your bank's website and request a one-time credit card number. It can only be used once, and only for the amount that you specify.
      • Re: (Score:2, Informative)

        by palegray.net (1195047)
        No matter who you bank with, you can make one-time payments using the PayPal Plugin [paypal.com], even to merchants who only accept traditional bank cards.
        • Interesting. I'll try that with my next purchase. Thanks!
        • Re: (Score:2, Informative)

          by Carlosos (1342945)
          I heard one the show "Security Now" that those one-time payments are NOT one-time payments. It only means that a virtual credit card is created that will expire next month which could leave 60 days of abuse. You have to remember to close the virtual credit card manually after every use. I know Citi Bank has a similar service that I use but they also allow to set a limit for the virtual credit card so that not more can be charged.
    • by julesh (229690)

      stores that ship tangible goods can require that the shipping address be the same as the billing address and verify the billing address against information held by the credit card company.

      There is a problem with this approach, which is that it alienates certain customers. For instance, I'm a director of a company and hold a credit card in the name of that company. The billing address on the account is our accountant's office. I don't want everything I order to go via our accountant, so any company that r

  • stereotype day (Score:5, Insightful)

    by jacquesm (154384) <j@NOsPAm.ww.com> on Tuesday August 26, 2008 @02:27PM (#24754299) Homepage

    Is today global stereotype day and did I miss the memo ?

    Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it. Is France out of fashion or so ?

    Really, the reason these tools exist is because there are several requirements before you can deploy these tools, which are:

    - access to international banking
    - a large base of hackers, preferably unemployed
    (I use 'hacker' in its original form)
    - organized crime

    The USA, China, Germany and Russia all have these in abundance so that's where you will find your toolkits.

    • Re: (Score:3, Insightful)

      by camperdave (969942)
      Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it. Is France out of fashion or so ?

      You should move to Canada, where it's always in fashion to hit on Americans.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        it's always in fashion to hit on Americans

        No, it's always in fashion to hit on America, not Americans. As it is everywhere, seemingly. Like Lance Armstrong used to say, I love the French, its France I hate. Never met a Canadian that wasnt gracious and courteous (well, except waiters in Quebec) and the same follows for Russians/Iraqis/Mexicans/Japanese/etc. People generally villify Big Faceless Stereotypes and not other people.

      • Re: (Score:1, Funny)

        by Anonymous Coward

        As a Canadian I resent that. Americans are too fat and lazy to hit on.

      • by Ma8thew (861741)
        You could replace America in that sentence with everywhere else in the world. Not a troll, sadly entirely true.
      • Re:stereotype day (Score:4, Insightful)

        by jacquesm (154384) <j@NOsPAm.ww.com> on Tuesday August 26, 2008 @05:17PM (#24756607) Homepage

        Been there, done that, and again, that's just another stereotype. Canadians do not routinely bash Americans more than the Americans probably deserve on account of abusing tariffs and nafta.

      • by CyberPack (577178)
        I would have not trouble hitting on an American, provided she was attractive and available :).
    • by LoRdTAW (99712)

      "Hitting on the Russians seems to be in real fashion these days, you'd almost think there was a political motive behind it."

      Nah. We just miss the good ol days of the cold war.

    • Re:stereotype day (Score:5, Interesting)

      by Zontar_Thing_From_Ve (949321) on Tuesday August 26, 2008 @03:41PM (#24755307)
      You forget the main reason the tools and the crime exists in Russia:
      - a weak, corrupt legal system.

      Russians (and quite a few people in the other states of the ex-USSR) have a weird sense of entitlement that causes them to believe that it's perfectly acceptable to steal from the rich. They suffered under communism for so long that it's quite all right to get some payback by stealing from the West now.

      Since Russian law really doesn't care about crimes that are committed outside of Russia against non-Russians and anyway you can just bribe a judge to get whatever ruling you want, there really is no stopping these people. Well, I can think of ways to stop them, but let's just say that I don't think the USA or the EU has the stomach for what it would take. The weak legal system argument probably applies to China too.
    • by corbettw (214229)

      Hitting on the Russians seems to be in real fashion these days

      I didn't think anybody actually hit on Russians, I thought they just met them online through a broker and married them.

    • To expand on your post, lots of cheap under/unemployed people also make automated tools redundant or not required. Also makes countermeasures, (necessarily automated)less efficient & effective. Don't bother trying to crack the latest Craiglist captcha, just get a load of poor (in both senses of the word) people to do it. It's a service that's even 'advertised'...

  • by Enlarged to Show Tex (911413) on Tuesday August 26, 2008 @02:28PM (#24754323)
    All this really means is that script kiddies can now do identity theft as easily as they can perform DDoS attacks...
  • by Animats (122034) on Tuesday August 26, 2008 @02:31PM (#24754359) Homepage

    If you want made-in-USA tools for this, try searching Google for "craigslist auto posting tool" [google.com]. Google offers seven paid ads for spamming tools and crackers. ("The worlds Best Selling Craigslist software. Works with new CAPTCHA!") Three of them (including one that advertises "Only Automated Solution for the new captcha. Nobody else is automated.") are available through Google Checkout.

    This has been going on for months, despite press coverage. I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

    • Re: (Score:3, Interesting)

      by garcia (6573)

      I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

      They're deliberately promoting advertisements that make them money. If you notice, if you search for something like AdSense and you'll find links to such treasures as Google Massacre [googlescalper.com]. Whatever pays the bills I guess.

    • by Jherek Carnelian (831679) on Tuesday August 26, 2008 @03:19PM (#24755029)

      This has been going on for months, despite press coverage. I'm beginning to wonder if Google is deliberately promoting tools to kill Craigslist.

      If I were Craigslist, I would rather see those tools easily available instead of pushed underground. Because it makes it easier to identify them and thus to create countermeasures.

      For example, instead of just shutting down the exploits and their distrubtion, I would study the tools and see if they have a recognizable 'fingerprint' when used. Then I would make the craigslist software look for such 'fingerprints' and treat the postings differently - for example instead of just blocking the post, I would set the threshold for other user's tagging it as spam to be very low, or even set a timer to delete the post after an hour or two.

      The end result being that the most common and easily available tools would be compromised in non-obvious ways, reducing the rate of escalation in the "arms race" of cracker/anti-cracker tools and simultaneously making abuse less effective for most (ab)users.

      • Re: (Score:3, Interesting)

        by smooth wombat (796938)

        I would study the tools and see if they have a recognizable 'fingerprint' when used.

        Forget the tools, it's much easier to identify the fake ads because they use the same phrases over and over. To wit:

        • a body that will make you melt
        • I haven't had much luck on Craigslist

        to name just two I can remember. All CL has to do is to scan their postings every hour, identify ads which use these phrases and delete them. Sure, the postings still get put up but they get taken down just as easily.

  • What method do the 'cyber crooks' utilize in gathering the stolen credit cards in the first place ?

    "I managed to acquire an account on this exclusive service, and found some 78,628 [slashdot.org] individual MasterCard and Visa credit and debit accounts for sale at various prices there"
  • We could sign up for the anti-captcha.com service, and constantly send them faked CAPTCHA that are impossible to solve. (make maybe 100 of them and rotate) Thus waste their resources without getting charged for it. According to their feature page, they can only take on 1,000,000 CAPTCHA a day. I am sure the the order can easily be filled.
  • just like hammers can be used for doing construction projects or they can be used to bash peoples heads in, the same can be said with these controversial tools.

    As long as packets can traverse from one point to another, it will be impossible to prevent automation tools from being used to automate various interfaces to access public online systems. If web sites think they can get rid of people by putting various challenges in their way, i.e. captcha, they are wrong. Given enough resources, people will get a

  • Get rid of the "monetary" system. As long as we have money people will always conjure up creative ways to steal it. Our global society needs to move forward to the "star trek" world where money doesn't exist. I know, I'm asking for the impossible.

    • by julesh (229690)

      Get rid of the "monetary" system. As long as we have money people will always conjure up creative ways to steal it. Our global society needs to move forward to the "star trek" world where money doesn't exist. I know, I'm asking for the impossible.

      Not impossible. Just not likely to happen in the near future. I consider a moneyless society plausible in the future, if you have the following situation:

      * nearly-free energy (e.g. large-scale fusion reactors)
      * no shortage of resources for any substance that is i

Some people carve careers, others chisel them.

Working...