Free kits for launching phishing attacks

PandaLabs has discovered several free phishing kits on the Internet which allow cyber-crooks to send out fraudulent emails. These tools allow cyber-crooks to spoof bank pages and emails, online pay platforms, Gmail and Yahoo!Mail mail accounts, online games (Xbox password theft) and blogs (Fotolog access credentials).

“The really amazing thing is, these kits are free,” explains Luis Corrons, Technical Director of PandaLabs. “Due to the simplicity of the tools, the number of phishing attacks increases, causing companies and consumers large losses. According to a study conducted by Gartner, phishing attacks caused U.S. consumers losses for US$3.2 billion in 2007*”.

These kits operate as follows: upon accessing a URL that contains the kits, users obtain the files to create a fraudulent mail; one file allows them to spoof mails of banks, pay platforms etc., and the other allows them to create a fraudulent page that resembles the original. Additionally, the kit includes a PHP program, which is also free, to send emails from the spoofed page.

The rest of the process is similar to other phishing cases: the false email is sent to several mail addresses, with a link to a malicious page in which users are requested to enter the data cyber-crooks are after; email addresses, bank passwords, etc.

“To obtain email addresses to spam, cyber-crooks buy lists of addresses on the Internet, although some are free,” claims Luis Corrons, who adds: “if we add free hosting services, the result is, cyber-crooks launching phishing attacks for no cost whatsoever”.

Cyber-crooks can also choose the way in which to receive the stolen data; TXT files stored on a server, a message in their mailbox, etc.