Thursday, September 20, 2007

DIY Phishing Kit Goes 2.0

With the release of the second version of the DIY phishing kit that I covered in a previous post, next to commentary on another one and a DIY pharming tool, the timeframe for creating a phishing page just got shorter than it used to be before. Moreover, the phishing ecosystem is getting closer to fully achieving its malicious economies of scale, ones where the number of phishing campaigns in the wild outpaces the possibilities for timely shutting them down. Even worse, phishers do not seem to be interested in re-inventing the wheel, and having to create a new phishing page for any site or service, instead, such phishing pages are now a commodity, and with the ecosystem itself clearly cooperating with malware authors, you end up in a situation where a malware infected host is not just hosting malware for the next victim to get infected, running multiple DNS servers, sending out spam and phishing emails, but also, hosting the phishing pages themselves.


Amateur phishers do not put efforts into ensuring the quality and the lifetime of their phishing campaigns, and you can clearly recognize such amateur campaign by visiting the phishing URL you've just received to figure out it's already down. The more sophisticated phishers, however, are not just efficiency-obsessed, but also, take advantage of typosquatting and basic segmentation approaches, for instance, acquiring a Russian email database to use as the foundation for a WebMoney phishing campaign, and a U.S one for a PayPal one. Moreover, sophisticated phishers also put more efforts and invest more time into personalizing the emails and in rare cases, the phishing pages themsleves, that's of course in between localizing the campaign by having it translated into the local language of the country for which the emails database belongs to, thus improving the chances of the campaign. This is yet another disturbing trend worth commenting on - malware is maturing into a services centered economy, and so is the case with spamming and phishing, a logical development with the commodization of what used to very exclusive tools.

What are the major improvements in the new version? In the first one, the phisher had to manually paste the source code of the real page, have the kit automatically redirect the data to a third party URL, and also manually fix the image locations to ensure that they will load properly. In the second version, there're POST and GET commands available so that the source code gets acquired automatically, and an internal Image Grabber so that the exact URLs of all the images within the login page can get easily integrated within the phishing page about to get generated. Getting back to differentiating the amateur from sophisticated phishers, the second have more resources at their disposal and better confidence in their hosting provider so that compared to loading the images from the original site, they're hosting them locally. This kit will inevitably continue to evolve, wish it was proportionally with the end user's understanding of how to protect against "push" phishing attacks though.

Related posts:
Taking Down Phishing Sites - A Business Model?