Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground
by Mirko Zorz - Monday, 28 January 2008.
Rios: The number of backdoors we saw was staggering. The servers serving the phishing sites had backdoors, the code used in the phishing kits had backdoors, the tools used by phishers had backdoors. Phishers aren't afraid to steal from regulars people and they are also not afraid to steal from other phishers. Some of the backdoors were meant to keep control over a compromised server, while other simply stole information that had been stolen by other phishers! We came across several forums where phishers, scammers, and carders basically identified other phishers, scammers, and carders that had scammed them. These shady characters may work with each other but they sure don't trust each other, that's for sure.

There are many anti-phishing plugins available for browsers. Are they really all the protection we need?

Dhanjani: The anti-phishing plugins are extremely useful and I sincerely appreciate their efforts. However, it is extremely important to realize that the anti-phishing plugins are a band-aid to underlying problems that must be addressed if we want to come close to solving the phishing problem. We need to do a better job with respect to user awareness, but we must to be careful not to expect too much from the average user. We cannot expect the average user to be able to analyze a URL to ensure it is legitimate. Instead we need to come up with browser UI standards that allow the users to clearly and easily distinguish high assurance domains and websites. Most importantly, we need to realize the actual problem at hand: the reliance on static identifiers to establish and maintain identities and execute financial transactions. I will expand on this in the following question.

I'd also like to add that phishers are likely to abuse the blacklists published for these plugins for their own benefit. The blacklists are a list of known phishing sites that the plugins consume in order to identify what websites are fraudulent. These blacklists therefore contain IP addresses and host names of servers hosting phishing sites. Since phishing sites are commonly installed on servers that have been compromised, and phishers don't bother to patch systems they have installed their kits on, this list translates to a 'list of easily compromisable hosts' for other phishers. This situation can lead to multiple phishers obtaining access to the same host after the first one has broken in. However, I think the benefits of anti-phishing plugins outweigh this negative side-effect.

What is, currently, the magnitude of the phishing threat? What can we expect during this year?

Dhanjani: I think the phishing problem is going to continue to grow, and continue to cost us billions of dollars this year and even more so every year moving forward. We can expect the phishers to continue to use similar techniques for a while to come. But what do we do to solve this problem? Well, we can apply as many temporary band-aid solutions we want, such as host intrusion prevention systems, browser plugins, and we can perform penetration tests on our servers and applications all we want, but these solutions alone are not enough to even come close to solving the actual problem. We are not going to win the arms race with the phishers unless we admit to the underlying problem at hand: the reliance on static identifiers to establish identities and execute financial transactions. Let me expand on this a bit. We take care not to blurt out our SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases as we progress in our lives. We take care not to expose our Credit Card numbers, but we must hand them over to people we donít know at retail stores if we want to use it. We arenít going to solve the problem of online PII (Personally Identifiable Information) and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Dec 1st