Panda Labs posted a report about a string of Phishing kits discovered recently, which unlike some of their better known counterparts are free to use. The news is not groundbreaking, but it does serve as a reminder that nowadays anyone can get in to the act of performing criminal activities online.
Phisher\'s get phree tools for their crimes. (IMG: J.Anderson)
Panda Labs is reporting on the discovery of free Phishing kits that allow criminals, both professional and script kid in nature, to spoof bank pages and emails, online pay platforms, GMail and Yahoo accounts, online games (Xbox password theft) and blogs (Fotolog access credentials).
Upon accessing a URL that contains the kits, users obtain the files to create a fraudulent mail; one file allows them to spoof mails of banks, pay platforms etc., and the other allows them to create a fraudulent page that resembles the original. Additionally, the kit includes a PHP program, which is also free, to send emails from the spoofed page.
“The really amazing thing is, these kits are free,” explains Luis Corrons, Technical Director of PandaLabs. “Due to the simplicity of the tools, the number of Phishing attacks increases, causing companies and consumers large losses. According to a study conducted by Gartner, Phishing attacks caused U.S. consumers losses for US$3.2 billion in 2007.”
“To obtain email addresses to spam, [criminals] buy lists of addresses on the Internet, although some are free,” claims Luis Corrons, who adds, “If we add free hosting services, the result is, [criminals] launching Phishing attacks for no cost whatsoever.” The scripts also allow how the captured data is stored; TXT files stored on a server, a message in their mailbox, etc.
While the discovery of the free kits is hardly fear inspiring news, it resembles something that was being sold in early 2007. RSA, the security division of EMC, reported early last year about something called the “Pocket Phisherman” being sold online. The man in the middle tool was being sold and used online to advance common Phishing schemes used by in a stronger effort to gain access to consumer information.
Phishing is still a game of the mind, if you can convince the end user to submit their information then the attack works; there is no real science to this form of crime. The best defense is training to spot Phishing attacks, and filtering on the email server to block most of the messages used for it.
View blog reactions
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)