People who embark on a life of crime are usually attracted by the promise of little effort and big money, and the hacker whose phishing kit was discovered to be collecting credentials from the phishers using it is clearly not an exception.
Imperva researchers have stumbled upon the “Login Spoofer 2010” phishing kit on hacking forums and news groups, and a deeper investigation into it discovered that this phishing kit is like no other, because the collected data is hosted “in the cloud” – separately from the disposable phishing web sites.
That means that even if the web sites get shut down, the collected data is still available to the phishers. They simply have to repost the page on a new location, and they are back in business.
But, the cloud approach is not the only thing that makes this kit different from others. Unbeknown to the phishers, the author of the kit has programmed a back door into the kit which allows him to harvest all the credentials collected by the various phishers using it.
The kit itself is in English, but the tutorial for it also contains explanations in Arabic. It allows the users to create phishing sites with just a few clicks:
As you can see, it can mimic login pages of popular services such as Gmail, Hotmail, Yahoo!, Facebook, PayPal, RapidShare, Skype and others. The stolen credentials can be viewed on a “dashboard” that links them to the service and the IP address from which the page was accessed.
Imperva says that the developer claims that the kit was downloaded over 200,000 times. If that is true, and the kit is working as intended, he might be sitting on an immeasurable pile of phished credentials.