Rios: Phishing kits are the tip of the iceberg, they are the piece of the phishing eco system that everyone sees and knows about. The typical phishing kit consists of the HTML that makes up the forged site that the user sees and the backend logic that used to steal the victims information. Most phishing kits are probably created by a small number of individuals and typically sold on phishing forums. Although the various kits have different front ends and HTML content, the back end logic is surprisingly similar for most of the kits we've seen. These kits are used over and over again and most of the phishing sites you've seen are probably a variant of small set of phishing kits. Many think that phishing sites are all custom jobs that a particular phisher has developed and deployed. The reality is pre-made, ready-to-deploy, turnkey sites are already created for practically every major organization that you can think of. All a phisher has to do is purchase the latest kit and deploy, no technical expertise or coding skills are really required. All the phisher typically has to do is place their email address into one line of code and they have a ready to deploy phishing site.

Many have become victims of phishing and we see the attackers using new methods all the time. In your opinion, what is their skill level? Who are we dealing with?

Dhanjani: This is an important question, and I'm glad you asked it. When we think of phishers, we often guess that they are a group of highly skilled ninja hackers. They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused. These people have got to be pretty smart, right? Wrong. Just think about what a typical phisher is really doing: installing pre-coded websites on compromised servers - that hardly takes any skill and it shouldn't impress anyone. Then you have cases where phishers steal information from other phishers by planting backdoors in the phishing kits in the form of elementary obfuscation of scripting code. In other words, phishers are not able to pull of their attacks because they are highly skilled, but because the are abusing a few fundamental flaws such as lack of awareness, lack of standards around browser UI that clearly highlights high assurance websites, and our dependence on static identifiers such as SSN, Credit Card numbers, etc to establish identifies and commit financial transactions. I'll expand my views on the static identifier problem in my answer to the last question.


Rios: This is one of the more surprising aspects of the research we (Nitesh and I) conducted. I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again. It also seemed that many phishers don't even really understand how the phishing kits they've deployed work! We also came across many phishing kits and tools that had simple backdoors written into the source code (essentially, phishers phishing phishers). These backdoors are easily spotted by anyone who has even a basic idea of how the source code flow worked, yet was undetected by many phishers. Maybe a few phishers out there are skilled, but the majority are clueless.