The popular conception of phishers is of shadowy electronic masterminds, using a mix of technical prowess, deception and anonymity to trick consumers into handing over the bank account details. Actually, most of them are too stupid to design their own websites. That’s what two security researchers found when they delved deep into the online phishing community.
Their research revealed that most phishers use ready-made kits which made by a small group of people and then sold and traded online. All you have to do is fill in a few form fields, give it an email address to send people’s bank account info to, and deploy it on a compromised server. Boom, insta-phishing scam. What’s more is the kits, servers and programs all routinely have backdoors built in, so the phishers are phishing the phishers. It’s amazing to think that the greatest threat to the modern banking system is being perpetuated by a network of average people whose only unique talent is their capacity for immorality.
Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground [Net Security]