DIY Phishing Kits Introducing New Features

Factual evidence on the emergence of individual phishing kits is starting to appear, with two more available in the wild. So what? For the time being, the lack of communication between the authors of these, or perhaps even the need to is slowing down the adoption of core features that would standardize and create a dynamic all in one phishing campaign C&C.

In the long term, however, features and customizations already adopted by ethical phishing initiatives, would become the default set of features for public, and not the proprietary kits that theoretically should act as the benchmark. As in a previous discussion on the dynamics of the malware industry and the proprietary tools within, lowering the entry barriers into phishing by releasing this applications for free, greatly benefits the more experienced phishers, as the novice market entrants would be the ones making the headlines :

"The DIY phishing kits trend started emerging around August, 2007, with the distribution of a simple kit (screenshots included), whose objective was to make it easy for a phisher already possessing the phishing page, to enter a URL where all the data would be forwarded to. Several months later, the kit went 2.0 (screenshots included) and introduced new preview, and image grabber features in order to make it easier for the phisher to obtain the images to be used in the attack. In early 2008, two more phishing kits made it in the wild, with the first once having direct FTP upload capabilities as well DIY Phishing Kit as automated updating of the latest phishing page, and the second one taking advantage of plugins under a .phish file extension."

Read the entire post - DIY phishing kits introducing new features.

A Botnet of U.S Military Hosts

Building DDoS bandwidth capacity for offensive cyber warfare operations may seem rational, but this departamental cyber warfare approach would never manage to match the capabilities of the self-mobilizing hacktivist crowd :

"Where’s the enemy, and where’s the enemy’s communications and network infrastructure at the first place? It’s both nowhere, and everywhere, and you cannot DDoS “everywhere”, and even if you waste a decade building up the capability to DDoS everywhere, your adaptive enemy will undermine the resources, time and money you’ve put into the process by avoiding outside-to-inside attacks, and DDoS your infrastructure from inside-to-inside."

Here are related comments on how unnecessary the whole idea is at the first place.

The FirePack Exploitation Kit Localized to Chinese

The process of localizing open source malware, as well as publicly obtainable web malware explotation kits is continuing to receive the attention of malicious attackers, the Chinese underground in particular. Starting from MPack and IcePack's original localizations to Chinese, the FirePack exploitation kit is the latest one to have been recently localized to Chinese, and the trend is only starting to emerge.

What is prompting Chinese users to translate these kits to their native language anyway? Is it the kit's popularity, success rates, lack of alternatives, or capability matching with the rest of the internaltional underground community? I'd go for the last point.

Major Career Web Sites Hit by Spammers Attack

What is the future of spamming next to managed spamming appliances, like the ones already offered for use on demand? It’s targeted spamming going beyond the segmentation of the already harvested emails on per country basis, and including other variables such as city of residence, employment history, education, spoken languages, to ultimately set up the perfect foundation for targeted spamming and malware campaigns.

Go through the complete assessment of the tool used for extracting personal data from major career sites as well.

Custom DDoS Attacks Within Popular Malware Diversifying

One of the many Chinese script kiddies' favorite malware tools has been recently updated with several other DDoS attack capabilities built within, as well as with a nasty bandwidth allocation and measurement option introduced within. In case you remember, this was the very same malware tool I used as an example of how open source malware is prone to extend its lifecycle, and enjoy unique functionalities added on behalf of third-party contributors to the open source project.

The ongoing development of the tool showcases several important key points, namely, how a market share leader's products in a certain region, Korea in this case, often receive the attention of malware authors embedding product-specific DoS attacks within, and also, the fact that the average script kiddies are continuing getting empowered with access to DDoS tools going beyond the average HTTP request flooders and ICMP flooding attacks. Furthermore, realizing the PSYOPs effect that could be created out of the popularity of this DIY malware, a specific Anti CNN version was released during the Anti CNN attack campaigns, and as you can also see, ABC.com is hard coded as an example of a site to be attacked.

From an unrestricted warfare perspective, what is the difference between someone who has on purposely infected themselves with malware to appear as an infected hosts in this malware's C&C, and when traced back as a participant in the DDoS attacks simply states she's been infected with malware, next to those infected hosts who were unknowingly participating in the DDoS attacks? There wouldn't be any.

Stealing Sensitive Databases Online - the SQL Style

In a perfect world from a malicious SQL-ers perspective, mom and pop E-shops filling market niches and generating modest but noticeable revenue streams, have their E-shops vulnerable and exploitable to web application vulnerabilities, with their SQL databases available for extraction in an unencrypted form.

In reality, reconnaissance through search engine's indexes to build a hit list of E-shops with a higher probability for exploitation, is what malicious attackers who lack the skills and capacity to build a botnet, even invest money into renting one on demand and collecting the output in the form of credit cards numbers and accounting data, have been doing for the past of couple of years. Moreover, as I've already pointed out and provided relevant examples, it's perhaps even more disturbing to see the automated process of building such hitlists, verifying that they're exploitable, remotely exploiting them by embedding malicious links within their pages, and of this made possible through the use of botnets.

The whole is greater than the sum of its parts, and while some are putting time and efforts into figuring out whether or not a specific vulnerability is exploited, and through the use of which hundreds of thousands web sites again end up injected with automatically loading links to malicious domains, the bad guys are keeping it simple, sometimes way too simple to end up with the most successful and efficient ways to achieve their objectives. Furthermore, waging verbal warfare on whether or not XSS are a greater security risk than currently perceived, is definitely making a lot of malicious attackers out there enjoy the lack of situational awareness of those who are supposed to have a better grasp of what they're up to, not what they might be up to.

The bottom line - from a malicious economies of scale perspective, are massive SQL injections attacks serving malware to a speculated number of hundreds of thousands susceptible to clien-side attacks exploitation site visitors, more effective, than obtaining the low-hanging databases in a site-specific vulnerability manner? Depends entirely on what the bad guys are trying to obtain, access to as many infected hosts as possible to be later on used for phishing, spamming, stepping stones, hosting and distribution of malware and conducting OSINT for corporate espionage by segmenting the infected population into organizations of importance, or access to "the whole" benefits package coming with having a complete access over an Internet connected host.