Sunday, January 27, 2008

Bad Sushi: Beating Phishers at their own Game

A colleague (Nitesh Dhanjani) and I were recently accepted to speak at Black Hat Federal in Washington DC.  What basically started as a few laughs over a phishing site, eventually turned into months of serious investigation into the entire ecosystem that supports the phishing effort. 

   
Nitesh and I basically infiltrated a few phishing forums, tracking a phisher from compromised webservers, to phishing forums, to carderz sites.  We managed to get a hold of about 100 different phishing kits, various tools used by phishers, and gained some insight as to how phishers do their business.  I was STAGGERED by the amount of PII (full names, DOBs, credit card numbers, SSNs, addresses, phone numbers…) that is placed on public web servers by phishers, hidden only by obscurity.  Once this obscurity is broken, even a simple query in a search engine will reveal a significant amount of stolen identity related information including names, credit card numbers, SSN, DOBs…

   
I was also FLOORED by the number of phishing and credit card fraud related forums.

     

carderz.jpg

   

Nitesh and I basically stopped our research because the number of sites and the staggering amount of exposed PII was simply too much.  There literally is an entire ecosystem devoted to supporting the phishing effort that plagues modern day financial institutions, one that simply cannot be viewed by two Security Researchers alone.  If you’re in the DC area, stop by for Black Hat and we’ll show you some of the things we saw.  We give a brief description of some of the things we saw during an interview for Help Net Security.  For those of you who are curious, due to the ENORMOUS amount of PII we came across, we’ve contacted the FBI and we’ll be sharing some things with them that WILL NOT be in the talk or any interviews!

13 comments:

  1. I too have also stumbled across a sharers forum once.. and, like you, was staggered at how many people's details were just pasted up on this public forum :(

    I am just a "jo user" so the most exciting thing I could think of doing was alerting F-Secure (who seem to be interested in these things) to the sites existence (to which Mikko commented "Thanks, indeed an interesting forum...especially as it doesn't seem to be Russian like most of these.") as the UK police wouldn't give a plop or do anything about it (imo).

    I have not returned to check if it is still up (again, like you, I was worried about my own exposure to these peoples details leaving me open to legal action) but if you would like to chase it up .. or pass it onto someone who "does care" please email me.

    Tom

    ReplyDelete
  2. The interview was absolutely fantastic :)

    Somewhere at the end your colleague states that:

    "Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost."

    Is there any working, secure model for such a system that the banks should use? I can only think of something based on proof of knowledge protocols, but I'd love to hear some of your takes, as well.

    Thanks,
    Diver

    ReplyDelete
  3. Completely unrelated to this post, but in regards to the previous post which you've taken down now; the "Top 10 Web Hacks of 2008" was an exercise in uninformed ass kissing and nothing more.

    ReplyDelete
  4. It's quite interesting that the phishing underground world has changed so much. At first it took a skilled person and a lot of luck to pull off a phish, now there are kits that let anyone pull off one. They don't even need to know what the code does, and from the fact that they're getting phished themselves, probably many of them don't know what the code does at all. In retrospect it seems obvious that kits would be made that let anyone do this, but it was kind of unexpected to hear at first.

    ReplyDelete
  5. ....you guys are crazy....

    I'm continually impressed by your ingenuity and skills....

    ReplyDelete
  6. I've done the same procedure, tracked down Nigeria phishers, they were pasting even credit cards amounts when there was a fair amount into them, i've seen more than 250k in accounts. They are using rfi scanbots installed in hacked servers and mass mailer scripts.
    I stopped too way too many information to keep on and they seem to be doing their "job" all day long.

    ReplyDelete
  7. [...] spam I receive, a significant number of messages represent phishing attacks. Most of these lures aren’t very clever or convincing, but phishing has become a simple numbers game—hosting phishing sites is cheap, [...]

    ReplyDelete
  8. Here's an interesting idea. If it's that easy to get a hold of PII on these forums, it seems like the logical next step would be for the authorities to start contacting these people. The could let them know that their identities are at risk, and they should cancel or reissue their credit cards, and additionally, send them some information on how to avoid phishing scams in the future. These would severely limit the value of the information by time it was used by someone. Or, is it too late by time their info is on the forum?

    ReplyDelete
  9. Hello Billy Rios:

    Would it be accurate to assert that the current volume of Phishing would not be as high without the current 'business model' of open forums providing quality malware to the 'foot soldiers' who do the day to day work of harvesting and utilizing data?

    ReplyDelete
  10. [...] links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account [...]

    ReplyDelete
  11. [...] Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this [...]

    ReplyDelete
  12. [...] Personally Identifiable Information (PII). Some researchers, such as Rios and Dhanjani, have done research into this [...]

    ReplyDelete
  13. [...] links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account [...]

    ReplyDelete