Do-it-Yourself Phishing Kit
PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they’re a fine, upstanding magazine, they don’t include any information about how to buy it or how much it costs.
PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they’re a fine, upstanding magazine, they don’t include any information about how to buy it or how much it costs.
Rob Mayfield • January 16, 2007 3:22 PM
You’d have to wonder in situations like this, who is the phisher and who is the phished …
Alan • January 16, 2007 3:33 PM
So when are we going to see the “Phisher-Price” training set? (“My Baby’s First Web Fraud”.) Probably show up at the next Defcon with the “Hax0r Spelling Dictionary”.
Sammy The Surfer • January 16, 2007 5:03 PM
Sure, download our l33t phishing kit and phool your phri3nds! Just enter your credit card info for instant access…
Anonymous Coward • January 16, 2007 5:22 PM
I for one, feel extremely safe about entering my credit card number to get a phishing kit. The irony is too much…
Filias Cupio • January 16, 2007 6:39 PM
If I were so inclined, I think I’d just wait for pirated versions of the software to become available. After all, the users aren’t going to be too honest to pirate software, and the makers can’t call in the police or BSA.
Qian Wang • January 16, 2007 6:44 PM
How they would handle payments is an interesting question actually. If they take credit cards, I would imagine most of their “clients” would just use stolen ones, leading to lots of chargebacks and unwanted attention. The same with Paypal and other online payment systems, which could freeze their accounts instantly. How would they deal with the kind of fraud rate that something like this must generate?
silverfish • January 16, 2007 7:26 PM
Seriously, such claims are a dime in a dozen. Even if the phishing kit can do MITM attacks, given the layers of security in online banking, i.e, 2FA, SSL, payee verification, backend checks, do you think the kit will acheive it’s objective?
DaveH • January 16, 2007 8:32 PM
The only thing that would be noticed by the user is a mismatched or non-existent cert. Many users click through these warnings. All other security would be passed through although software that would verify originating IP address would flag a problem and ask for a 2nd authenticator. Unsuspecting user might enter it with some mild cursing under his breath, it really counts on users not understanding how the security works, which is most of them…
Matt from CT • January 16, 2007 9:41 PM
Would be interesting if they included a delay in the system…
So they got the payment card or other private information 24 hours before the people who actually installed the kit…
“WTF…every single card we get has already been flagged for fraud!!!”
😀
Aussie Pleb • January 16, 2007 10:23 PM
In Australia, the banking sector wants consumers to pay for online fraud:
http://www.abc.net.au/pm/content/2007/s1827360.htm
If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years – that banks should be responsible.
the other Greg • January 16, 2007 11:19 PM
From the Australian banking article :
“Internet fraud is estimated to cost Australia’s financial institutions more than $25 million a year.”
You can bet that is a generous estimate, including the hourly wages of the janitor who dumps the PRs wastebasket.
“Each month, some 14 million bills worth $9 billion are paid online.” That’s $108 billion a year.
The fraud rate is 25,000,000 / 108,000,000,000 = 0.023 percent.
Those pennies are screaming in agony, or the numbers are chimerae.
Ch.Kaiser • January 17, 2007 1:46 AM
[quote]
Those pennies are screaming in agony…
[/quote]
Just give them to me. I will heal them by spending gladly…
Phil • January 17, 2007 7:27 AM
Virtual credit cards are readily available for easy one time payments with vendors that you don’t want to have your real account information. Many of the cards even allow you to provide whatever name/billing address you want.
Albert • January 17, 2007 9:32 AM
Is this the same kit that was in the news 11 Jan 2007? For instance here:
http://www.rsasecurity.com/press_release.asp?doc_id=7667
X the Unknown • January 17, 2007 11:17 AM
@Filias Cupio: “If I were so inclined, I think I’d just wait for pirated versions of the software to become available. After all, the users aren’t going to be too honest to pirate software, and the makers can’t call in the police or BSA.”
On the other hand, if I were trying to “copy-protect” some such package, I would have it automatically “register” itself on ICQ or UseNet, or some such. Then, if my ‘Bots found unlicensed installations, they’d be targeted for a DDOS attack until they payed up.
Probably more effective than going to the police.
Alternatively, “unlicensed” installations could (after a suitable “shareware grace period”) encrypt all the files on your hard drive, and hold them for ransom.
Of course, this latter approach works against paying customers, as well… 😉
markm • January 17, 2007 3:06 PM
“If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years – that banks should be responsible [for fraud].”
Banks should be responsible for fraud that’s partly enabled by their policies, but remember the Golden Rule, according to the Wizard of Id comics: “He who has the gold makes the rules.”
profilepitstop • January 17, 2007 10:02 PM
This is great news! We can’t deny the fact that everybody needs a good software against phishing especially myspace phishing. I just hope this will really be available to everyone.
abdulkareem • April 6, 2007 8:00 AM
In Hollywood, they say there is no business like show business but on the net, there is no business like PHISH business. As soon as you are ready to give the sellers id just mail me. Thanks
abdulrahaman • April 6, 2007 8:04 AM
why would anyone want to sell such a valuable tool?
adamu • October 6, 2007 2:34 AM
where do i get a phishing kit, if its all that easy?
jack • December 5, 2007 2:15 PM
chicken taste good
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Ted • January 16, 2007 3:14 PM
Well, it doesn’t look like PC World is withholding info, only like RSA is disclosing less than everything they know (which seems responsible in this case).
I’m sure you can squeeze more out of them at the conference next month 😉