July 23, 2010

Imperva finds master hacker who dupes thousands into phishing army

Imperva uncovered a new, automated, cloud-based phishing kit.  Our Application Defense Center found this kit on a hacker forum.

Unlike previous phishing kits that have been available for years (which we detail here), this new approach lives in the cloud and relies on hackers exploiting other hackers.  And with the new cloud-based approach the infrastructure for this phishing kit never goes away.  Why?  In traditional schemes when you take down a server you take down not only the web page but also the back end data collection capabilityIn this cloud version, data collection is hosted separately from the phishing web sites which means hackers only need to repost the web front end in a new location to be back in business.  (It's like whackamole).

Also, and perhaps what's more interesting, this attack highlights that there’s no honor among thieves.  Two master hackers wrote and then posted a phishing kit into hacker forums.  The irony is that anyone using this kit becomes an unknowing member of the master hacker’s army.  When hackers use this kit and deploy a successful phishing campaign, all the stolen credentials and information goes straight back to the master hacker without the proxy hacker’s knowledge.  It’s very clever.  The master hacker never needs to conduct a campaign to see financial gain.  

This next gen phishing kit works like this: 

  1. Two master hackers created a phishing kit that generates phishing sites as a service to other hackers.
  2. The master hacker publishes the kit on hacker forums and news groups
  3. Other hackers download and use the kit to create the phishing sites and create numerous campaigns becoming "proxy" hackers.  The master hacker claims 200,000+ downloads.
  4. The proxy hackers see some success, potentially stealing dozens to hundreds of credentials before their fake sites are shut down.
  5. The master hacker that leverages uses a back door in the kit to harvest all the credentials the proxy hackers managed to get--which, collectively, probably amounts to thousands of credentials.  
  6. Since new people create new phishing sites every day, with new campaigns the master hacker’s numbers just grow and grow and grow.

The kit was developed in Algeria with Arabic tutorials while the kit itself is in English.  Here’s how you sign up for it: 

Login spoof

And here’s how you select pages to spoof:

Page select phishing

An here’s a "dashboard" screenshot showing victims:


Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.