Dhanjani: This is an important question, and I'm glad you asked it. When we think of phishers, we often guess that they are a group of highly skilled ninja hackers. They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused. These people have got to be pretty smart, right? Wrong. Just think about what a typical phisher is really doing: installing pre-coded websites on compromised servers - that hardly takes any skill and it shouldn't impress anyone. Then you have cases where phishers steal information from other phishers by planting backdoors in the phishing kits in the form of elementary obfuscation of scripting code. In other words, phishers are not able to pull of their attacks because they are highly skilled, but because the are abusing a few fundamental flaws such as lack of awareness, lack of standards around browser UI that clearly highlights high assurance websites, and our dependence on static identifiers such as SSN, Credit Card numbers, etc to establish identifies and commit financial transactions. I'll expand my views on the static identifier problem in my answer to the last question.
Rios: This is one of the more surprising aspects of the research we (Nitesh and I) conducted. I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again. It also seemed that many phishers don't even really understand how the phishing kits they've deployed work! We also came across many phishing kits and tools that had simple backdoors written into the source code (essentially, phishers phishing phishers). These backdoors are easily spotted by anyone who has even a basic idea of how the source code flow worked, yet was undetected by many phishers. Maybe a few phishers out there are skilled, but the majority are clueless.
During your research, how did you track phishers? What are their most common information trade networks?
Dhanjani: I clearly remember how we stumbled upon this information. We happened to be studying a simple server side script from a phishing kit. The script was part of a ready made site for a popular bank. All the script did was to take the information submitted by the victim an email it to the phisher at a particular email address. We noticed that the script put some static text in the subject line of the outgoing email in order to help the phisher identify the emails. We decided to Google for that particular string. The results completely stunned us. Social Security numbers, bank account numbers, dates of birth, ATM PINs, addresses, credentials to online banking accounts, all out in the open, a lot of which was collected from victims only a few hours ago. A simple Google search led us to a whole new world where phishers were trading this information in different languages around the world. This sort of exposure can ruin people's lives - yet it was right there, out in the open. It was quite unnerving.