Let's say your identity gets stolen, what happens next? How exactly does a phisher benefit from gaining access to your sensitive information? What can he do?
Dhanjani: As soon as your identity is stolen, it becomes currency for the phishers. Phishers often trade identities with each other, and sell them. Some of the more "charitable" phishers publish the identities on message boards to share with the community. Once a malicious entity has obtained your identity, he or she can open credit lines in your name, in addition to obtaining loans and executing financial transactions on your behalf. It doesn't stop there, a stolen identity can also be abused to obtain legal identity cards with your name on it, thereby cloning your identity. This is often used by people who want to avoid arrest (the irony!), or establish a brand new identity to live on. Unfortunately, it takes a lot of legal effort on part of the victims to repair the damages caused to their lives due to identity theft.
Rios: In my opinion, this was the most interesting portion of our research. Many see phishing as merely forged websites with familiar logos. In reality, there is an entire ecosystem supporting phishers and their scams. Hackers compromise servers and turn-key backdoors are placed on these compromised servers. Before phishing site can be deployed, phishers buy or trade access to compromised systems. Once the phisher gains access to a compromised machine, they deploy their readymade kits. A single server is typically used to serve many different scams/phishing sites simultaneously. Once an unsuspecting user is lured to a phishing site and enters their information into the forged site, it kicks off a series of events that ultimately lead to very bad things for the victim. Typically, the information entered into phishing site is emailed to an anonymous email account (weíve seen other methods, but this is the most popular). From here, the phisher visits several places, advertising that they have identity information for sale. These identities are purchased by other individuals who then visit sites dedicated to creating fake credit cards and ID theft. The stolen information changes hands several times to all sorts of different characters and then the vicious cycle repeats itself.
You research shows that even phishing sites have backdoors which means that phishers are trying to phish other phishers. Give us some details.
Dhanjani: Indeed. This goes back to the previous point I made about phishers being less sophisticated than people think. We came across backdoors in phishing kits that were simple code obfuscations that caused the script to send the victim's information to the kit's author (backdoor) in addition to the phisher installing the kit. We found deployed versions of the kits that clearly indicated confusion on part of the phisher who deployed the site: some phishers commented out portions of the code, while some seemed to edit the script around where the backdoor code was present indicating suspicion. Many phishers never realized the backdoor code was present.