Schneier on Security
A blog covering security and security technology.
« Security Theater and a Secure Data Center |
| Do Terrorists Lie? »
January 16, 2007
Do-it-Yourself Phishing Kit
PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they're a fine, upstanding magazine, they don't include any information about how to buy it or how much it costs.
Posted on January 16, 2007 at 2:17 PM
• 22 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Well, it doesn't look like PC World is withholding info, only like RSA is disclosing less than everything they know (which seems responsible in this case).
I'm sure you can squeeze more out of them at the conference next month ;)
You'd have to wonder in situations like this, who is the phisher and who is the phished ...
So when are we going to see the "Phisher-Price" training set? ("My Baby's First Web Fraud".) Probably show up at the next Defcon with the "Hax0r Spelling Dictionary".
Sure, download our l33t phishing kit and phool your phri3nds! Just enter your credit card info for instant access...
I for one, feel *extremely* safe about entering my credit card number to get a phishing kit. The irony is too much...
If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA.
How they would handle payments is an interesting question actually. If they take credit cards, I would imagine most of their "clients" would just use stolen ones, leading to lots of chargebacks and unwanted attention. The same with Paypal and other online payment systems, which could freeze their accounts instantly. How would they deal with the kind of fraud rate that something like this must generate?
Seriously, such claims are a dime in a dozen. Even if the phishing kit can do MITM attacks, given the layers of security in online banking, i.e, 2FA, SSL, payee verification, backend checks, do you think the kit will acheive it's objective?
The only thing that would be noticed by the user is a mismatched or non-existent cert. Many users click through these warnings. All other security would be passed through although software that would verify originating IP address would flag a problem and ask for a 2nd authenticator. Unsuspecting user might enter it with some mild cursing under his breath, it really counts on users not understanding how the security works, which is most of them...
Would be interesting if they included a delay in the system...
So they got the payment card or other private information 24 hours before the people who actually installed the kit...
"WTF...every single card we get has already been flagged for fraud!!!"
In Australia, the banking sector wants consumers to pay for online fraud:
If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years - that banks should be responsible.
From the Australian banking article :
"Internet fraud is estimated to cost Australia's financial institutions more than $25 million a year."
You can bet that is a generous estimate, including the hourly wages of the janitor who dumps the PRs wastebasket.
"Each month, some 14 million bills worth $9 billion are paid online." That's $108 billion a year.
The fraud rate is 25,000,000 / 108,000,000,000 = 0.023 percent.
Those pennies are screaming in agony, or the numbers are chimerae.
Those pennies are screaming in agony...
Just give them to me. I will heal them by spending gladly...
Virtual credit cards are readily available for easy one time payments with vendors that you don't want to have your real account information. Many of the cards even allow you to provide whatever name/billing address you want.
@Filias Cupio: "If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA."
On the other hand, if I were trying to "copy-protect" some such package, I would have it automatically "register" itself on ICQ or UseNet, or some such. Then, if my 'Bots found unlicensed installations, they'd be targeted for a DDOS attack until they payed up.
Probably more effective than going to the police.
Alternatively, "unlicensed" installations could (after a suitable "shareware grace period") encrypt all the files on your hard drive, and hold them for ransom.
Of course, this latter approach works against paying customers, as well... ;)
"If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years - that banks should be responsible [for fraud]."
Banks should be responsible for fraud that's partly enabled by their policies, but remember the Golden Rule, according to the Wizard of Id comics: "He who has the gold makes the rules."
This is great news! We can't deny the fact that everybody needs a good software against phishing especially myspace phishing. I just hope this will really be available to everyone.
In Hollywood, they say there is no business like show business but on the net, there is no business like PHISH business. As soon as you are ready to give the sellers id just mail me. Thanks
why would anyone want to sell such a valuable tool?
where do i get a phishing kit, if its all that easy?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.