[SecurityRatty] tag: phisher

DIY Phishing Pages With Command and Control Interfaces

Thu, 06 Nov 2008 03:31:43 +0000

The day when DIY phishing pages start coming with manuals is the day when consciously or subconsciously a phisher is lowering down the entry barriers into phishing for yet another time. A much more user-friendly compared to the old-fashioned -- yet effective -- rock phish directory listing, a recently released command and control interface for Rapidshare phishing campaigns aims to empower its users with easy dynamic link generation for their campaigns.

What they've managed to achieve is another trust factor since Rapidshare generates a second dynamic link upon clicking on the original one. The script not only generates a dynamically looking link, but also, actually logs in the victim into their account in order to avoid suspicion whereas it still logs all the accounting data.

Scammers also tend to be ironic every then and now. For instance, in this particular case, one of the users finds it ironic that the Rapidshare phishing page is hosted at Rapidshare itself. Is the script actually working? It appears so at least going through a misconfigured accounting data dump left by one of the phishers.

Related posts:
Phishing Pages for Every Bank are a Commodity
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
DIY Phishing Kits Introducing New Features
209 Host Locked
209.1 Host Locked
66.1 Host Locked

Call out a phisher, get attacked by malware

Tue, 26 Aug 2008 09:00:00 +0000

If you're the target of a phishing attack, one thing you probably shouldn't do is backtalk, said Joe Stewart, director of malware research at SecureWorks. Otherwise, you may be the target of a follow-up attack.

Call out a phisher, get attacked by malware

Mon, 25 Aug 2008 20:00:00 +0000

Users tired of phishing attacks who retaliate by talking back are being targeted with exploits designed to hijack their computers, a security researcher said Tuesday.

Phish Page Steals Your Details, Then Logs You In

Fri, 22 Aug 2008 10:15:31 +0000

One of the few things that - perhaps - alerts users that they've been phished is when (after entering perfectly valid login details) they see something like this:

...or like this:

Generally, when net-savvy users get phished, they're alert enough to know that messages such as the ones above are a clue that they might have stumbled onto a Phishing page (assuming they're 100% sure they entered their details correctly, of course). This "break" in the login cycle has always been a weakness of a phish page, and the typical flow of events is as follows:

1. Visit Phish page
2. Enter details
3. User is told "your login cannot be processed at this time", and your information is stolen

What if the process could go like this:

1. Visit Phish page
2. Enter details
3. Phish page steals your information, but logs you into the target site

You'd miss that vital clue - the failed login - and assume everything was okay.

Well, a Phish for the popular Habbo Hotel caught my eye today because it does just that - seamlessly logging you into Habbo Hotel once your details have been stolen. Here is the Phish page in question:

Click to Enlarge

Here I am, entering my login details into the page:

At this point, a regular Phish page risks giving the game away because of the familiar variations on "Your login could not be processed" that appear at this point in the procedure.

However, the Phish page takes you to a page hosting an encoded base64 script:

From there, the user is deposited onto the Habbo Hotel website, fully logged in - no "Your login could not be processed" messages here!

Click to Enlarge

Meanwhile, my login has been stolen (it's the one in red) and placed in the ever growing pile collected by the Phisher:

Click to Enlarge

From the point where I decided to login to Habbo Hotel, to the point where I'm actually logged into the site there is no break in the usual procedure and I have absolutely no indication I've just been phished. If this kind of devious tactic is employed for banking phishes, it'll make it all the more crucial that end-users start to think about running Anti-Phishing programs and browsers that have built-in Phish Detectors because the stakes seem to have raised once again.

AOL phisher gets seven-year sentence

Wed, 13 Aug 2008 20:00:00 +0000

A West Haven, Conn., man has been sentenced to seven years in prison for masterminding a phishing scheme that targeted AOL users over a four-year period.

AOL phisher gets seven year sentence

Wed, 13 Aug 2008 09:00:00 +0000

A West Haven, Connecticut, man has been sentenced to seven years in prison for masterminding a phishing scheme ...

DIY Phishing Kits Introducing New Features

Thu, 15 May 2008 10:11:43 +0000

Factual evidence on the emergence of individual phishing kits is starting to appear, with two more available in the wild. So what? For the time being, the lack of communication between the authors of these, or perhaps even the need to is slowing down the adoption of core features that would standardize and create a dynamic all in one phishing campaign C&C.

In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :

"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."

Read the entire post - DIY phishing kits introducing new features.

Skype Phishing Pages Serving Exploits and Malware

Fri, 09 May 2008 03:00:15 +0000

"Please, don't update your account information", at least not on recently spammed phishing pages which will not only aim at obtaining your accounting data, but will also infect with you malware through exploiting MS06-014. These phishing emails are a great example of blended threats, and while we're been witnessing the ongoing consolidation between phishers, spammers and malware authors for the last two years, this particular phishing campaign looks like a lone gunman operation.

Original message : "Dear valued skype member: It has come to our attention that your skype account informations needs to be updated as part of our continuing commitment to protect your account and to reduce the instance of fraud on our website. If you could please take 5-10 minutes out of your online experience and update your personal records you will not run into any future problems with the online service. However, failure to update your records will result in account suspension. Please update your records on or before May 11, 2008. you are requested to update your account informations at the following link. To update your informations."

Phishing URL : alertskype.freehostia.com, which is then forwarding to skypealert.ns8-wistee.fr/Secure.skype.com/store/member/login.html/Login.aspx/index/Skype.Members/index.htmls/ where the malware and the exploit are hosted.

Scanners result : Result: 3/31 (9.68%)
VBS/Small.W.1; Exploit-MS06-014
File size: 13569 bytes
MD5...: 4d6a559adf0602f7fd58b884e00894dc
SHA1..: 056f75e0dd94d03daeb04ae83d1b4a1b7476c0f2
SHA256: 3f08427228489edffd57e927db571aea06716c192ec72f91ea8115c0c7f978eb

The phishing page wasn't created, but copied from Skype's original login page. The phisher even left an email within the VBS, in this case - ikbaman@gmail.com. Virtual greed or contact point optimization for fraudulent purposes, passive phishing attacks can sometimes be quite active and leave the curious clicker with a false feeling of security.

Ethical Phishing to Evaluate Phishing Awareness

Tue, 06 May 2008 13:26:25 +0000

What is the most efficient and cost-effective way of both, measuring your employees awareness of phishing threats, and building awareness of the threat simultaneously? By sending them ethical phishing emails to see which department based on which social engineering campaign is more susceptible to phishing attacks, at least that's what PhishMe.com is all about :

"Effective, memorable, and secure user awareness testing and training is now available with just a few clicks. Using PhishMe.com’s built-in templates and WYSIWYG functionality, you can emulate real phishing attacks against your employees within minutes. Focus your training efforts on the most susceptible employees by providing immediate feedback to anyone that falls victim to these exercises. Phish your employees before hackers do!"

Once watching the demo online, you'll get the feeling that it's actually a real phisher's web interface to spamming out phishing emails, so I guess the bad guys can in fact learn from the good guys standardizing approach and metrics mentality applied.

For the time being, Rock Phish represents the most efficiency centered phishing approach, with a single IP hosting numerous domains, each of those hosting over ten different phishing campaigns on average each of these with a dedicated cybersquatted subdomain. However, with the ongoing commoditization of phishing pages, the localization and segmentation of phishing campaigns, the next logical development would be the public release of a point'n' click web interface for managing real phishing campaigns.

Or perhaps a public leak, given that someone out there might have already came up with such an interface, without the sexy layout? And by the time there hasn't been a release or a leak, spamming tools would continue getting adapted for phishing purposes, and log parsers would be a phisher's best friend in respect to evaluating the success rate of a phishing campaign.

Phishing Pages for Every Bank are a Commodity

Sun, 30 Mar 2008 23:21:55 +0000

A new phishing scam is currently in the wild, emails pretending to be from Bank of ****** were detected by *****, anti spam vendors are indicating a tremendous increase in phishing emails during the last quarter - phishing headlines as usual, isn't it? Phishing is logically supposed to increase, the convergence of phishing and bankers malware is already happening, segmentation of the emails database is only starting to take place, and it's not that a perticular brand is targeted more efficiently than other - they're all getting targeted. In 2008, phishing pages for each and every bank are a commodity, anyone can download them, modify them to have the stolen data forwarded to a third-party, backdoor them to have phishers scamming the phishers, facts that are shifting the emphasis on the segmentation, malicious economies of scale concept, the spamming process of phishing emails, and of course, the arms race between the targeted brands and the phishers in terms of catching up with each other's activities.

In the very same way, malware authors apply Quality and Assurance practices to their malware releases by sandboxing, making sure they have a low detection rate by scanning them with all the anti virus scanners available, as well as ensuring they'll phone back home through bypassing the most popular firewalls, phishers tend to put a lot of efforts into coming up with the very latest fake phishing pages of each and every brand or financial institution. What you see in the attached screenshot is a detailed description of the exact type of information the phishing page is capable of collecting, and when it was last updated. And while the question to some has to do with the number of people getting tricked by phishing emails, coming across such regularly updated repositories makes me think how many people are getting tricked by outdated phishing pages.

The logical questions follows - why would a phisher simply release the very latest phishing pages for a multitude of brands to be targeted in the wild for free, next to keeping them private for his very own private phishing purposes? Take web malware exploitation kits for instance, and the moment when once they turned into a commodity, they started getting used as a bargain in many other deals. In the phishing pages case, once the "product" is offered for free, the "service" in this case the possible segmentation and spamming as a process comes with a price tag.

And while someone's currently using these freely available phishing pages, others are selling them to those unaware that they're actually a commodity and come free, and someone else is using them in a bargain deal offering them as a bonus for purchasing another underground good or service to an uninformed bargain hunter again not knowing that what's offered as bonus is actually available for free - the dynamics of the underground economy in full scale.

Related posts:
RBN's Phishing Activities
Inside a Botnet's Phishing Activities
Large Scale MySpace Phishing Attack
Update on the MySpace Phishing Campaign
MySpace Phishers Now Targeting Facebook
DIY Phishing Kits
DIY Phishing Kit Goes 2.0
PayPal and Ebay Phishing Domains
Average Online Time for Phishing Sites
The Phishing Ecosystem
Assessing a Rock Phish Campaign
Taking Down Phishing Sites - A Business Model?
Take this Malicious Site Down - Processing Order..
209 Host Locked
209.1 Host Locked
66.1 Host Locked
Confirm Your Gullibility
Phishers, Spammers and Malware Authors Clearly Consolidating
The Economics of Phishing