Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing Social Networking Sites

Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:

How would you describe yourself? Age? Did you go to school? Interests?

Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!

How did you get your start in phishing? How did you get interested in it?

The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.

How long have you been phishing?

I’ve been pishing since I turned 14. So thats, Nearly 5 years.

Do you have any idea how many people’s identities you’ve stolen so far?

Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.

Did you need to forge any particular relationships with other people/groups to get started?

No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.

What types of sites make the best phishing sites?

Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.

What are the steps you take to set up a phishing site?

I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.

Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.

Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.

How many people do you typically phish per site you post?

That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.

How do you monetize the identities and how much does that net you?

Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.

Are there any costs associated with phishing?

Yes there are costs. A dedicated server, VPN, Network encryption software and time.

What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?

For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.

How do you keep yourself safe from being caught?

I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.

Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?

Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.

Do you forsee any changes to the phishing industry that are worthy of note?

No.

Anything else you’d like to share/last words?

Lazy web developers are the reason I’m still around pishing.

Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is no lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.

The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?

33 Responses to “Phishing Social Networking Sites”

  1. blad3 Says:

    Interesting post, any idea what he is talking about with
    “Social networking sites, Make me $500 to 1k through CPA deals” ?

  2. fukami Says:

    CPA == Cost Per Action

    That means he earns money through people buying stuff, taking subscriptions etc.

  3. Lazy Lukas Says:

    Is it only me, or does that whole interview sound a bit unrealistic.

    Phising since 14 and 3-4 k income per Day?
    And 30k accounts phished per day?

    Sorry but I cannot believe that this is actually more than a bragging kid.

  4. RSnake Says:

    Lazy Lukas - 30k accounts per day isn’t unrealistic, nor is monetizing only 3-4k of that per day. I’m not sure what you mean. Maybe you are saying this particular person isn’t doing that sort of volume, but this is by no means outside of reality. If you could get $500 off of each phishing victim that had access to a valuable service, and only 1/100 passwords you have stolen were useful for that kind of think that’s still $5 per password on average. In fact, if anything he’s probably not monetizing this anywhere near what he could be, but like he said, he’s probably got more volume that he knows what to do with, so the quickest way to deal with them is to sell the email addresses to spammers. While only making a few dollars at most off of something like that, he could make 3-4k off volume alone. Also, that one Google dork I saw netted 50 some odd phishing sites in MySpace alone. That’s nowhere near all of them, I assure you. If each one is semi-heavily trafficked at 100 users a day and only half were dumb enough to enter their password (I suspect more but whatever) it would only take 12 days for those 50 alone to net you 30k.

    Now multiply that by the real number of phishing sites in MySpace and then also add on all the other social networking sites, and the passwords and other valuable functions inside people’s emails, and you have yourself easily 30k a day (even that seems low to me). While I can’t comment on how many actual sites he’s set up, or how many passwords he’s actually recovered, I would be surprised if he weren’t at least in the ball-park with his numbers. And even if he were being totally dramatic - and I have some evidence to the contrary - the point is still valid. As a side note, his story jives with what I have heard from other more traditional phishers (though they are a bit better about monetization at around $800 per user - but also they are the last people in the food chain as often they end up buying the lists that guys like lithium build).

    blad3 - I didn’t go further into which cost per action deals he had set up, but if I had to guess, it would be porn, pills or the like. Anyone who signs up for that kind of crap ends up giving him a referral fee. Social networking is really good for that kind of spam because search engines give them very high link quality since the domain is old and well linked-to. It makes it more valuable for blackhat SEO types.

  5. Sid Says:

    Great post, thank you lithium for sharing your perspective with us.

  6. Ronald van den Heetkamp Says:

    Good stuff, and it’s nice to see that the anti-phishing methods in todays browser will annoy this phisher. :D

  7. christ1an Says:

    Hell this is interesting. Thanks lithium and RSnake.

    What would you guys say, how many Phishers like lithium are in fact out there? Just guess.

  8. RSnake Says:

    You could probably back into the number pretty closely. If 13.7MM people have had their identities stolen and he, on average can make use of only 1 out of 1/100 that means that really 137MM users have been hacked with no dire results (at least yet). So if he has done 20MM, there are at least 6 in the US alone (or a number of fractional users that represent smaller portions of that pie). That’s just the US.

  9. Chris Says:

    Hey man, you should go to school and get a real life.
    You are a parasite. Phishing is for rookies and loosers. You’d better write your own shit.
    It does not take a genius to write lame php pages with two lines of javascript and two input fields.
    Run a Dos on the dns root servers! it’s way more fun!

  10. SW Says:

    I have to agree with Lukas on this one, it sounds very unrealistic.

  11. Technocrat Says:

    That is assuming no overlap…..but with overlap, the number of phishers could be very different…so in the end, who knows…it doesn’t take alot to get started in the business.

    I think we can all agree with that.

  12. TehLeetPhisher Says:

    This guy is old fucking washed up news.

    That game is done and over with 1 year ago when things were a lot easier.

    Old fucking news. We were making 20K/day one year ago. Inefficient. Weak man.

    MyChanger? Ha I knew the owner of that, that’s funny shit man.

  13. TehLeetPhisher Says:

    Oh by the way, 30K is VERY possible, I did it.

  14. Ronald van den Heetkamp Says:

    @TehLeetPhisher

    Wow that is really a lot of money, I never realized it was so profitable. On the other hand it sounds logical that it must be profitable to even begin with such thing. I have to take your word on it because I have absolute no clue how one can monetize it other then have pretty good connections with creditcard scammers.

  15. TehLeetPhisher Says:

    You’d be surprised how interesting the CTR % is when you’re posing as a friend of another and tell them about a deal.

    Think about:

    We phish at 30K+ a day. That leaves us with a base of 30K * the amount of people on their friends list. Our advertising base grows EVERYDAY. With the flash vulnerability, this base grew exponentially.

    Now think about how much your friends word means to you? Think about the Click-through-rate on that? It’s low but it’s better when your leads are giving $1.50, $13 per lead.

    We were making $50/second sometimes. Peak hours were in the afternoon around 12 and things slowed down at night.

    Imagine bulletin spamming your lists everyday with a new lead everytime. Doing 3-4 times a day on the same lists and then cycling through them as they grew hourly then daily because you had so many.

    What does that mean? $20K/day in advertising revenue.

  16. TehLeetPhisher Says:

    Screw stealing bank accounts and such, just steal advertising revenue from big corporations.

    Who cares about MySpace? What’s wrong with stealing some revenue from the big boys. They get enough anyway.

    I don’t know if any of you have noticed but the phishers aren’t the biggest bad guys in this. MySpace is one big ass advertisement, you should be rooting for your fellow poor computer geek who is banking off of it.

    It’s a basic query in MySQL for them to remove the bulletin spam, who are they kidding?

  17. Markus Jakobsson Says:

    My group is trying to understand phising better, and one important aspect is to assess yields. (Yield = Percentage of targeted users from whom credentials are harvested in a given attack.)

    We have some ideas of possible yields for different kinds of attacks, not taking takedown into consideration. Our numbers range between 10 and 75% depending on the type of attack.

    But what are the real yields, incl takedown and all? I’d love to hear from phishers.

  18. christpuncher Says:

    I’m calling bullshit on this article.

  19. chillervalley Says:

    hmmm 3 - 4k a day … uhm anyone wanna go phishing with me? ;-)

  20. demzie Says:

    Even though this story is bullshit “christpuncher”; There are people who can realize this.. Maybe the amount people who are really that good is small; but, what the heck, better 4k a day then lame highskool.. If you do this for 2/4 years, you dont need highskool anymore.

  21. Ronald van den Heetkamp Says:

    Still I think we must welcome phishers to speak out, it’s not very often you run into people who are really doing the thing we talk about. I really want to learn all about them and how they do it. Even when I have to take some things with a grain of salt, that doesn’t matter.

    For me personally I don’t want to know how much they earn. I really want to know their mindset, how they think about it, their viewpoints, and also the technology they use. So i find it a really refreshing blog item on something that is hard to get.

    So yeah :)

  22. Muad Says:

    Man, if you guys believe what a person who tricks and cons people for a living says in an interview .. have I got a unique real estate opportunity for you in Brooklyn!

  23. RSnake Says:

    @Muad - I’ve seen one of his phishing sites (that’s actually how we sort of got in touch). So, while a faux bridge is interesting at least portions of the story that I could were actually verified.

  24. Rep2Sys Says:

    Heh you know bad things are like religion, there are those whom believe in `em, and those whom don’t, thats how it goes..
    About lithium… by the looks it seems to be just a kiddo, that’s kinda just a piece of cake for what others in Europe are doing, scam 15-20 hours a day, but for larger amounts of cash… only hearing that you attempt to phish a social network like hi5/myspace or w/e like such will make you look like a fool in their eyes, people downhere phished the “big honeypots” from the start… first they eaten`up on ebay untill they got bored, then paypal (Romania was removed from the Country List off of Registration Form on Paypal rofl cuz of that) then they started with banks, the most known of all was Bankofamerica darn they even had thier scamming domains used as vhosts setup for IRC lol, it was everywhere… and then slowly they took every single bank ever existed worldwide… maybe some you never heard off… and those were the “big bucks”, they were trading full info’s for a pack of cigs once in a while and you could even find bank accounts info’s on google with 1-2 simple queries…
    Many of those phishers/scammers are/were underage and like you may know on this side of the world not all Law’s of cyber activities are taken so serios… with that said you get a bigger picture of what is “irealistic/unrealistic”… those things that most kids do in US its definately just a piece of cake far from what others are doing in other sides of the world… so basicly you cannot give an Real statistic off how many phishers/scammers are outthere…
    Since copy/paste was invented many kids believe they are hackers, using some scripts/proggys found over the internet and doing whoknows what cuz for sure they don’t, its just the curiosity most of the times… and you know what’s the most interesting?? somewhere outthere made/created those scripts/programs and also released them without thinking what “COULD” or “CAN” happen if they are used by some “evil minds”…. but HEY they have a “VERY” good reason to do that…..

    [quote]
    STANDARD DISCLAIMER: This “Hacking Tool” is meant for educational purposes only.
    [/quote]

    I hope that now you will realize what means “Educational Purpose” in any of such context. What’s more funny is that last week i found something pretty similar BUT it wasn’t no hacking tool/script it was a scheme to make a Bomb, step by step even with pictures and a nice video tutorial… still first line was ending with “educational purposes only.”.

    Sometimes these kiddos are getting bored of phishing/scamming and they jump on *nix and play for fun… they had so much fun with Nasa and many other govs, they even created their own Chat Room on NASA’s servers lmao! One important thing around here is the fame, so for sure they loved to be on the newspapers headlines and for sure they had plenty of fun speaking on TV about it, but HEY you know what US govs could do about it? guesss plx! haha Nothing.
    http://www.theregister.co.uk/2006/12/06/romanian_nasa_hacker/
    I have spoken with Victor yesterday on IRC.. and surely i was surprised when i saw he still has access to some of those gov hosts. :)

    Best Regards…
    Report2System

    Stay safe!

  25. Rep2Sys Says:

    Uhm, forgot.. excuse my crappy English Grammer.

  26. demond Says:

    Heh intresting read for sure. As for what leetfisher said about steeling from the big boys have at it. Myspace and the like are constant infection sources for spyware and viri trojans etc. Also host such nasty crap as child porn. I say bleed the bastards dry if you want and more power to you if you manage to put em right off the net you have my gratitude and thanks.

  27. deadmix Says:

    hello
    so i read this Article :) and as you said , it’s really Funny :) Spam, ans Scam we all know that it’s easy! with another Term (Phishing) all is about implanting a php Form and u’r in, and for the Accounts, and what our Hacker didn’t say : He use Brute forcing! i guess so, because it’s the easy Way used by called hax0rs between a (), if you do a Look at IRC, you will find even Younger than our Hacker who have 18 years old.
    There is also the Famouse Webmin auto-rooter which use also Brute Forcing to get accounts!! as i said : The easy way then we call them Hackers!! Crazy :))

    See ya :)

  28. Alex Says:

    I didn’t look at www.myownchanger.com so far, but did I really get the point, that he’s not using XSS, CSRF, and so on for phishing ?

  29. Rep2Sys Says:

    You don’t need too many things to do phising, minum required..
    1. fake domain+hosting /fake website uploaded,
    2. E-mail Extractor
    3. Anon Pop3/e-mailer (ex. http://www.101bouquet.com/Uploads/Mailer.php)

  30. TehLeetPhisher Says:

    All people use myownchanger for is for the automated process.

    Some people use XSS vectors, some people don’t. All in all is when the quicktime vulnerability was found, the bot was used to place the vector within all of the previously phished users to phish more users as they went to each other pages. Once a new list was aggregated, the bot was used again to place the same vector on new profiles–this created a constant flow of new phished traffic. The flash vulnerability was a pure god send at the time though.

    We’re using bots and vulnerabilities to ease and automate the process. What’s happening is you guys find the exploits, we utilize them and automate them for maximum efficiency through our bots.

    If anyone is interested in seeing statistics on phishes aggregated, I’d be happy to show everyone something. I certainly do not phish anymore so it would be interesting to see some stats on the items like passwords, emails, etc.?

  31. Bob Says:

    @TehLeetPhisher
    you’re my hero dude =)

  32. John Q. Netizen Says:

    Is this PayPal logon page a fake ????

    http://login3.paypalglobaldatabase.com/cgi-bin/webscr.php?cmd=_login-run

    The link was sent in e-mail

    This page:

    http://paypalglobaldatabase.com/

    Shows:

    paypalglobaldatabase.com
    This page is parked free, courtesy of GoDaddy.com

  33. Carl Says:

    @ TehLeetPhisher

    I would be interested as well in some of the more operational technicalities. I do have a background in whitehat affiliate marketing. Thus I would be interested what sort of deals you would strike with blackhats or would you just have the myspace accounts recommend your afflinks to their peers? How do you get the money savely into your affiliate accounts without them being closed - do the programs all cooperate or do some of them shut down your accounts. They must see where these referrals are coming from.
    At least some of your referrals most come across as dodgy when they look at the http referrers if your link is posted on an accessible web site or do you keep all the stuff in the pm system for that reason?
    What’s the process for layering and laundering the money until it lands in your pocket? Affiliate accounts -> intermediate accounts/steps involved -> the atm /Western Union/ egold etc -> your pockets? Thanks in advance