Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground
by Mirko Zorz - Monday, 28 January 2008.
Rios: Even phishers need to communicate! Many think that phishers are lone individuals who are anti-social sitting in a dark basement in some dark corner of the world. The reality is there are entire social networks dedicated to helping phishers communicate details on new scams, phishing kits, and to buy and sell identities. Many of these conversations occur on publicly accessible forums and websites, but the difficult part is knowing where to find these forums and sites. As everyone knows, search engines are great at crawling the most obscure sites on the Internet. Once we had an opportunity to see the source code of a few kits, we could key off of some key signatures, which resulted in our favorite searching engine leading us to forums where phishing scams were being discussed and web sites where identities were being bought and sold. Once we had access to these forums, we now have another set of key signatures (phisher aliases, handlers, more phishing kits, jargon, etc) to find even more forums and sites, which basically lead us into what seems like a never ending spiral of phishing and ID theft forums and sites.

Let's say your identity gets stolen, what happens next? How exactly does a phisher benefit from gaining access to your sensitive information? What can he do?

Dhanjani: As soon as your identity is stolen, it becomes currency for the phishers. Phishers often trade identities with each other, and sell them. Some of the more "charitable" phishers publish the identities on message boards to share with the community. Once a malicious entity has obtained your identity, he or she can open credit lines in your name, in addition to obtaining loans and executing financial transactions on your behalf. It doesn't stop there, a stolen identity can also be abused to obtain legal identity cards with your name on it, thereby cloning your identity. This is often used by people who want to avoid arrest (the irony!), or establish a brand new identity to live on. Unfortunately, it takes a lot of legal effort on part of the victims to repair the damages caused to their lives due to identity theft.

Rios: In my opinion, this was the most interesting portion of our research. Many see phishing as merely forged websites with familiar logos. In reality, there is an entire ecosystem supporting phishers and their scams. Hackers compromise servers and turn-key backdoors are placed on these compromised servers. Before phishing site can be deployed, phishers buy or trade access to compromised systems. Once the phisher gains access to a compromised machine, they deploy their readymade kits. A single server is typically used to serve many different scams/phishing sites simultaneously. Once an unsuspecting user is lured to a phishing site and enters their information into the forged site, it kicks off a series of events that ultimately lead to very bad things for the victim. Typically, the information entered into phishing site is emailed to an anonymous email account (weŪve seen other methods, but this is the most popular). From here, the phisher visits several places, advertising that they have identity information for sale. These identities are purchased by other individuals who then visit sites dedicated to creating fake credit cards and ID theft. The stolen information changes hands several times to all sorts of different characters and then the vicious cycle repeats itself.

You research shows that even phishing sites have backdoors which means that phishers are trying to phish other phishers. Give us some details.

Dhanjani: Indeed. This goes back to the previous point I made about phishers being less sophisticated than people think. We came across backdoors in phishing kits that were simple code obfuscations that caused the script to send the victim's information to the kit's author (backdoor) in addition to the phisher installing the kit. We found deployed versions of the kits that clearly indicated confusion on part of the phisher who deployed the site: some phishers commented out portions of the code, while some seemed to edit the script around where the backdoor code was present indicating suspicion. Many phishers never realized the backdoor code was present.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th