18 August 2008

Phishy eco-system

Eleanor Dallaway

Phishers are supported by an eco-system which allows even the least tech-savvy phishers to stay afloat, said Nitesh Dhanjani and Billy K Rios at their session ‘Bad Sushi: Beating phishers at their own game’ at Black Hat.

“What we’re finding is that phishers are helping other phishers. There’s no secret handshake, it’s simply handing over stolen information” said Dhanjani.

“Phishing forums are easily accessible online. These forums aren’t encrypted, they’re not disguised. It’s simply phishers doing business openly online”.

The forums are accessible, by anyone, on the web. “They’re not even password encrypted – anyone can look at this ‘phished’ information”.

Dhanjani and Rios told delegates that phishers are not only lazy, but that they’re often technologically incompetent as well. “Often, the technology behind phishing attacks is unsophisticated. The phishers details and addresses can often be found in the code”. As a result of this, “phishers are now being phished”.

The session warned delegates about a “dangerous, new trend – ATM skimming”. ATM skimming is where an electronic device is fitted over the ATM's card slot which reads the information encoded into the magnetic strip on the back of the victim's card as it is inserted. This variant does not require the card to be retained; the transaction runs normally, and the data recorded from the original card is copied to another blank magnetic stripe card, which is then used to withdraw cash.

”There’s a lot of chatting amongst the phishing community about this”, Rios warned.  

The public need to be more aware of what phishing attacks look like, the duo concluded. “We can’t expect our grandmothers to recognise a phishing attack, but in a lot of cases, phishing attacks rely on the victim’s laziness”.

Related stories:

Big phish-hunters make small tank vulnerable

Hackers cash in on disasters

 

<< News index