Phishing

Backdoor scams emerge on phishing kits

July 31, 2008

Nearly half of the live phishing kits identified online have backdoors designed to steal from the information thieves using them, according to research conducted at the University of California, Santa Barbara.

The fact that phishing kits contain backdoors had been noted before from various sources, Marco Cova, one of the researchers from UC Santa Barbara's Department of Computer Science, told SCMagazineUS.com on Thursday.

“I think the unexpected element that we found was that so many of them turned out to be backdoored [about 40 percent of all phishing kits collected],” he said. “In other words, this seems to be quite a pervasive practice in the phishing world, rather than a one-off experiment by some particularly malicious character.”

Cova added that another unexpected result was the different levels of sophistication in the techniques used by phishers to plant and hide their backdoors.

“In fact, some of the techniques used were fairly primitive, including, reordering the letters of an email address in order to hide it," Cova said. "On the other hand, other techniques were definitely more advanced and quite ingenious."

The researchers identified 379 distinct phishing kits from 21 different distribution sites; 129 of those kits contained backdoors.  They targeted 49 different organizations, focusing mainly on banks and auction sites.

Phishing kits are a part of an opportunistic black market, said Rami Habal of email security firm Proofpoint.

“It's a quick buck and a quick scam,” he said. “I dangle this carrot in front of would-be scammers and get them to download my phishing kit, I can exploit them.”

This research, Habal said, showed how phishing is moving on to the next level of sophistication, which is exploiting the very phishers themselves.

Cova agreed. “Our paper gives some insight into how the underground circles work, their economical incentives, techniques, and ethical -- or lack of -- rules. It's an ironic twist of events to observe that phishers phish phishers.”

The research also shows that phishers are a varied group, Cova said, consisting of people with fairly  technical sophistication and others with limited skills, people that simply reuse and try to make profit from the tools developed by others, often without realizing that they are being taken advantage of.

“If you are a phisher,” Cova said, “I guess the lesson here is don't trust what appears to be free.…'”

prestitial ad