Do-it-Yourself Phishing Kit

PC World has found a do-it-yourself phishing kit for sale on the Internet. Of course, because they're a fine, upstanding magazine, they don't include any information about how to buy it or how much it costs.

Posted on January 16, 2007 at 2:17 PM • 22 Comments

Comments

TedJanuary 16, 2007 3:14 PM

Well, it doesn't look like PC World is withholding info, only like RSA is disclosing less than everything they know (which seems responsible in this case).

I'm sure you can squeeze more out of them at the conference next month ;)

Rob MayfieldJanuary 16, 2007 3:22 PM

You'd have to wonder in situations like this, who is the phisher and who is the phished ...

AlanJanuary 16, 2007 3:33 PM

So when are we going to see the "Phisher-Price" training set? ("My Baby's First Web Fraud".) Probably show up at the next Defcon with the "Hax0r Spelling Dictionary".

Sammy The SurferJanuary 16, 2007 5:03 PM

Sure, download our l33t phishing kit and phool your phri3nds! Just enter your credit card info for instant access...

Anonymous CowardJanuary 16, 2007 5:22 PM

I for one, feel *extremely* safe about entering my credit card number to get a phishing kit. The irony is too much...

Filias CupioJanuary 16, 2007 6:39 PM

If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA.

Qian WangJanuary 16, 2007 6:44 PM

How they would handle payments is an interesting question actually. If they take credit cards, I would imagine most of their "clients" would just use stolen ones, leading to lots of chargebacks and unwanted attention. The same with Paypal and other online payment systems, which could freeze their accounts instantly. How would they deal with the kind of fraud rate that something like this must generate?

silverfishJanuary 16, 2007 7:26 PM

Seriously, such claims are a dime in a dozen. Even if the phishing kit can do MITM attacks, given the layers of security in online banking, i.e, 2FA, SSL, payee verification, backend checks, do you think the kit will acheive it's objective?

DaveHJanuary 16, 2007 8:32 PM

The only thing that would be noticed by the user is a mismatched or non-existent cert. Many users click through these warnings. All other security would be passed through although software that would verify originating IP address would flag a problem and ask for a 2nd authenticator. Unsuspecting user might enter it with some mild cursing under his breath, it really counts on users not understanding how the security works, which is most of them...

Matt from CTJanuary 16, 2007 9:41 PM

Would be interesting if they included a delay in the system...

So they got the payment card or other private information 24 hours before the people who actually installed the kit...

"WTF...every single card we get has already been flagged for fraud!!!"

:D

the other GregJanuary 16, 2007 11:19 PM

From the Australian banking article :

"Internet fraud is estimated to cost Australia's financial institutions more than $25 million a year."

You can bet that is a generous estimate, including the hourly wages of the janitor who dumps the PRs wastebasket.

"Each month, some 14 million bills worth $9 billion are paid online." That's $108 billion a year.

The fraud rate is 25,000,000 / 108,000,000,000 = 0.023 percent.

Those pennies are screaming in agony, or the numbers are chimerae.

Ch.KaiserJanuary 17, 2007 1:46 AM

[quote]
Those pennies are screaming in agony...
[/quote]
Just give them to me. I will heal them by spending gladly...

PhilJanuary 17, 2007 7:27 AM

Virtual credit cards are readily available for easy one time payments with vendors that you don't want to have your real account information. Many of the cards even allow you to provide whatever name/billing address you want.

X the UnknownJanuary 17, 2007 11:17 AM

@Filias Cupio: "If I were so inclined, I think I'd just wait for pirated versions of the software to become available. After all, the users aren't going to be too honest to pirate software, and the makers can't call in the police or BSA."

On the other hand, if I were trying to "copy-protect" some such package, I would have it automatically "register" itself on ICQ or UseNet, or some such. Then, if my 'Bots found unlicensed installations, they'd be targeted for a DDOS attack until they payed up.

Probably more effective than going to the police.

Alternatively, "unlicensed" installations could (after a suitable "shareware grace period") encrypt all the files on your hard drive, and hold them for ransom.

Of course, this latter approach works against paying customers, as well... ;)

markmJanuary 17, 2007 3:06 PM

"If I recall correctly, this is the opposite of what our host Bruce has been recommending for several years - that banks should be responsible [for fraud]."

Banks should be responsible for fraud that's partly enabled by their policies, but remember the Golden Rule, according to the Wizard of Id comics: "He who has the gold makes the rules."

profilepitstopJanuary 17, 2007 10:02 PM

This is great news! We can't deny the fact that everybody needs a good software against phishing especially myspace phishing. I just hope this will really be available to everyone.

abdulkareemApril 6, 2007 8:00 AM

In Hollywood, they say there is no business like show business but on the net, there is no business like PHISH business. As soon as you are ready to give the sellers id just mail me. Thanks

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..