Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Security Theater and a Secure Data Center | Main | Do Terrorists Lie? »

January 16, 2007

Do-it-Yourself Phishing Kit

PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they're a fine, upstanding magazine, they don't include any information about how to buy it or how much it costs.

Posted on January 16, 2007 at 2:17 PM22 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

TedJanuary 16, 2007 3:14 PM

Well, it doesn't look like PC World is withholding info, only like RSA is disclosing less than everything they know (which seems responsible in this case).

I'm sure you can squeeze more out of them at the conference next month ;)

Rob MayfieldJanuary 16, 2007 3:22 PM

You'd have to wonder in situations like this, who is the phisher and who is the phished ...

AlanJanuary 16, 2007 3:33 PM

So when are we going to see the "Phisher-Price" training set? ("My Baby's First Web Fraud".) Probably show up at the next Defcon with the "Hax0r Spelling Dictionary".

Sammy The SurferJanuary 16, 2007 5:03 PM

Sure, download our l33t phishing kit and phool your phri3nds! Just enter your credit card info for instant access...

Anonymous CowardJanuary 16, 2007 5:22 PM

I for one, feel *extremely* safe about entering my credit card number to get a phishing kit. The irony is too much...

Filias CupioJanuary 16, 2007 6:39 PM

If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA.

Qian WangJanuary 16, 2007 6:44 PM

How they would handle payments is an interesting question actually. If they take credit cards, I would imagine most of their "clients" would just use stolen ones, leading to lots of chargebacks and unwanted attention. The same with Paypal and other online payment systems, which could freeze their accounts instantly. How would they deal with the kind of fraud rate that something like this must generate?

silverfishJanuary 16, 2007 7:26 PM

Seriously, such claims are a dime in a dozen. Even if the phishing kit can do MITM attacks, given the layers of security in online banking, i.e, 2FA, SSL, payee verification, backend checks, do you think the kit will acheive it's objective?

DaveHJanuary 16, 2007 8:32 PM

The only thing that would be noticed by the user is a mismatched or non-existent cert. Many users click through these warnings. All other security would be passed through although software that would verify originating IP address would flag a problem and ask for a 2nd authenticator. Unsuspecting user might enter it with some mild cursing under his breath, it really counts on users not understanding how the security works, which is most of them...

Matt from CTJanuary 16, 2007 9:41 PM

Would be interesting if they included a delay in the system...

So they got the payment card or other private information 24 hours before the people who actually installed the kit...

"WTF...every single card we get has already been flagged for fraud!!!"

:D

Aussie PlebJanuary 16, 2007 10:23 PM

In Australia, the banking sector wants consumers to pay for online fraud:

http://www.abc.net.au/pm/content/2007/...

If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years - that banks should be responsible.

the other GregJanuary 16, 2007 11:19 PM

From the Australian banking article :

"Internet fraud is estimated to cost Australia's financial institutions more than $25 million a year."

You can bet that is a generous estimate, including the hourly wages of the janitor who dumps the PRs wastebasket.

"Each month, some 14 million bills worth $9 billion are paid online." That's $108 billion a year.

The fraud rate is 25,000,000 / 108,000,000,000 = 0.023 percent.

Those pennies are screaming in agony, or the numbers are chimerae.

Ch.KaiserJanuary 17, 2007 1:46 AM

[quote]
Those pennies are screaming in agony...
[/quote]
Just give them to me. I will heal them by spending gladly...

PhilJanuary 17, 2007 7:27 AM

Virtual credit cards are readily available for easy one time payments with vendors that you don't want to have your real account information. Many of the cards even allow you to provide whatever name/billing address you want.

AlbertJanuary 17, 2007 9:32 AM

Is this the same kit that was in the news 11 Jan 2007? For instance here:
http://www.rsasecurity.com/press_release.asp?...

and here:
http://www.net-security.org/secworld.php?id=4609

X the UnknownJanuary 17, 2007 11:17 AM

@Filias Cupio: "If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA."

On the other hand, if I were trying to "copy-protect" some such package, I would have it automatically "register" itself on ICQ or UseNet, or some such. Then, if my 'Bots found unlicensed installations, they'd be targeted for a DDOS attack until they payed up.

Probably more effective than going to the police.

Alternatively, "unlicensed" installations could (after a suitable "shareware grace period") encrypt all the files on your hard drive, and hold them for ransom.

Of course, this latter approach works against paying customers, as well... ;)

markmJanuary 17, 2007 3:06 PM

"If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years - that banks should be responsible [for fraud]."

Banks should be responsible for fraud that's partly enabled by their policies, but remember the Golden Rule, according to the Wizard of Id comics: "He who has the gold makes the rules."

profilepitstopJanuary 17, 2007 10:02 PM

This is great news! We can't deny the fact that everybody needs a good software against phishing especially myspace phishing. I just hope this will really be available to everyone.

abdulkareemApril 6, 2007 8:00 AM

In Hollywood, they say there is no business like show business but on the net, there is no business like PHISH business. As soon as you are ready to give the sellers id just mail me. Thanks

abdulrahamanApril 6, 2007 8:04 AM

why would anyone want to sell such a valuable tool?

adamuOctober 6, 2007 2:34 AM

where do i get a phishing kit, if its all that easy?

jackDecember 5, 2007 2:15 PM

chicken taste good

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Subscribe
Atom Feed Facebook Twitter E-Mail Newsletter (Crypto-Gram)
Subscribe via Kindle
Blog Menu

Search

Powered by DuckDuckGo


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Tags

more tags

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier