Monday, August 13, 2007

DIY Phishing Kits

Rock Phish's efficiency-centered approach in terms of hosting numerous phishing pages on a single domain, often infected home user's host, easily turned it into the default application for DIY phishing attacks. And despite that we still haven't seen a multi-feature phishing kits like the ones I'm certain will emerge anytime now, here's an automatic URL redirector of data submitted to a phishing site that's showcasing the ongoing DIY phishing kits trend. Basically, once the source code of a, for instance, fake paypal login page is pasted, it will ensure all the submitted accounting data is forwarded to the malicious server where it gets logged. The main aim of this tool isn't to achieve mass scale efficiency as is the case with Rock Phish, but to make it easier for phishers to poin'n'click create or update the fake pages to be hosted on a Rock Phish domain. The program's intro :

"Steps to creating a fake login, simple as 1,2,3. Go you your web site or the site you have permisson to make a fake web login and right click then press "Source". Double click here to begin. Enter the redirection URL. The redirection URL is the site in which the user who enters their login details will be forwarded to after they fill out the form. Optional : For some web sites after you creat the phisher some images will not load properly. This is due to the source directing the images to be loaded from your database instead of their database. For example you will probably find this in your source img src="/images/image.gif". To fix this you would have to direct the source to load from the site's database by editing the source to look a little like this img src="http://site.com/images/image.gif". To automatically do this double click here."

Why are DIY phishing kits turning into a commodity, and what are some of the strategies to deal with phishing sites?

- fake pages for each and every financial institution plus the associated images are a commodity. They look like the real ones, sound like the real ones, but anything submitted within gets forwarded to a third party presumably using DIY tools like these

- phishing should be treated as spam, namely it should never reach the end user's mailbox, but as we've already seen in the past, certain financial institutions are trying to rebuild confidence in the email communication with their customers whereas they should build more awareness on how they'd never ever initiate such communication as it will create even more confusion for the customer, the one who's still not aware of the basic phishing techniques

- HTTP referer logs to static images via email clients or web based emails could act as an early warning system and provide a list of URLs to be automatically feeded into a to-be shut down tracking system, ones we've seen getting commercialized by vendors already

- Phishing has become such a widespread problem that he latest versions of IE and Firefox now have anti phishing protection built-in. Moreover, phishing sites are known to exploit browser vulnerabilities to hide the real .info and .biz extension of a site, so that a built-in anti phishing toolbar picks up where the browser can no longer perform.

As far as the recent increase of Rock Phish domains is concerned, DSLreports.com has been keeping track of, and shutting down Rock Phish domains for a while. Once shut down, new domain names usually recently dropped ones appear online, such as userport.li and userport.ch for instance. Go through an article on "The History of Rock Phish" as well.