Saturday, June 11, 2005

So you want to be a phisher


Picture credit: http://tecfa.unige.ch
Excel web sharing - spreadsheet collaboration over the Internet made easy with BadBlueLike most Internet users, I've been awash in a deluge of phishing attempts of late. Unlike most users, though, I enjoy tracking down the source of the spam mails, the location of the false storefronts, and their owners. I think I've nailed down the typical modus operandi . Here's the lifecycle of a typical phishing scam, at least so far as I can tell.

  • Phisher uses IRC or similar means to surreptitiously meet with other blackhats and trade, purchase or otherwise acquire stolen credit-card data

  • Phisher uses stolen credit-card to purchase domain name (optional)

  • Phisher uses stolen credit-card to open a shared web hosting account

  • Phisher creates false storefront on new site

  • Phisher uses IRC or similar means to acquire list of open mail-servers or spamming accounts that can be used to send phishing emails

  • Phisher uses mass-mailing software to dispatch thousands or millions of phishing emails to direct victims to the bogus site

  • Phisher waits for the dough to roll in

  • After enough complaints arrive, the web hosting provider will inevitably determine that the bogus site needs to be shut down. At this point the phishing scam -- at least temporarily -- comes to a screeching halt.

    Can we learn anything from this lifecycle?

    I think we can. Hosting providers need to implement a little bit of technology: call it an anti-phishing package (APP). The package would be a process running on each shared server. Using the server's log files, APP would perform the following tasks:

  • Detect any new site (i.e., less than 90 days old) that receives a sudden burst of traffic

  • Examine the traffic for form submissions (GETs or POSTs)

  • Examine the traffic for pages named login, auth, etc.

  • In the event that any or all of these criteria are met, APP sends an automatic email to system administrators. They can then examine the suspect site and shut it down if necessary.

    I would hope that the major shared hosting providers are already running a process like APP.
     

    No comments: