Nitesh and I basically infiltrated a few phishing forums, tracking a phisher from compromised webservers, to phishing forums, to carderz sites. We managed to get a hold of about 100 different phishing kits, various tools used by phishers, and gained some insight as to how phishers do their business. I was STAGGERED by the amount of PII (full names, DOBs, credit card numbers, SSNs, addresses, phone numbers…) that is placed on public web servers by phishers, hidden only by obscurity. Once this obscurity is broken, even a simple query in a search engine will reveal a significant amount of stolen identity related information including names, credit card numbers, SSN, DOBs…
I was also FLOORED by the number of phishing and credit card fraud related forums.
Nitesh and I basically stopped our research because the number of sites and the staggering amount of exposed PII was simply too much. There literally is an entire ecosystem devoted to supporting the phishing effort that plagues modern day financial institutions, one that simply cannot be viewed by two Security Researchers alone. If you’re in the DC area, stop by for Black Hat and we’ll show you some of the things we saw. We give a brief description of some of the things we saw during an interview for Help Net Security. For those of you who are curious, due to the ENORMOUS amount of PII we came across, we’ve contacted the FBI and we’ll be sharing some things with them that WILL NOT be in the talk or any interviews!
I too have also stumbled across a sharers forum once.. and, like you, was staggered at how many people's details were just pasted up on this public forum :(
ReplyDeleteI am just a "jo user" so the most exciting thing I could think of doing was alerting F-Secure (who seem to be interested in these things) to the sites existence (to which Mikko commented "Thanks, indeed an interesting forum...especially as it doesn't seem to be Russian like most of these.") as the UK police wouldn't give a plop or do anything about it (imo).
I have not returned to check if it is still up (again, like you, I was worried about my own exposure to these peoples details leaving me open to legal action) but if you would like to chase it up .. or pass it onto someone who "does care" please email me.
Tom
The interview was absolutely fantastic :)
ReplyDeleteSomewhere at the end your colleague states that:
"Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost."
Is there any working, secure model for such a system that the banks should use? I can only think of something based on proof of knowledge protocols, but I'd love to hear some of your takes, as well.
Thanks,
Diver
Completely unrelated to this post, but in regards to the previous post which you've taken down now; the "Top 10 Web Hacks of 2008" was an exercise in uninformed ass kissing and nothing more.
ReplyDeleteIt's quite interesting that the phishing underground world has changed so much. At first it took a skilled person and a lot of luck to pull off a phish, now there are kits that let anyone pull off one. They don't even need to know what the code does, and from the fact that they're getting phished themselves, probably many of them don't know what the code does at all. In retrospect it seems obvious that kits would be made that let anyone do this, but it was kind of unexpected to hear at first.
ReplyDelete....you guys are crazy....
ReplyDeleteI'm continually impressed by your ingenuity and skills....
I've done the same procedure, tracked down Nigeria phishers, they were pasting even credit cards amounts when there was a fair amount into them, i've seen more than 250k in accounts. They are using rfi scanbots installed in hacked servers and mass mailer scripts.
ReplyDeleteI stopped too way too many information to keep on and they seem to be doing their "job" all day long.
[...] spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, [...]
ReplyDeleteHere's an interesting idea. If it's that easy to get a hold of PII on these forums, it seems like the logical next step would be for the authorities to start contacting these people. The could let them know that their identities are at risk, and they should cancel or reissue their credit cards, and additionally, send them some information on how to avoid phishing scams in the future. These would severely limit the value of the information by time it was used by someone. Or, is it too late by time their info is on the forum?
ReplyDeleteHello Billy Rios:
ReplyDeleteWould it be accurate to assert that the current volume of Phishing would not be as high without the current 'business model' of open forums providing quality malware to the 'foot soldiers' who do the day to day work of harvesting and utilizing data?
[...] links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account [...]
ReplyDelete[...] Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this [...]
ReplyDelete[...] Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this [...]
ReplyDelete[...] links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account [...]
ReplyDelete