Skip to Content

Phishing with Ease

Ninja hackers vs. the lazy mobs who want your credit-card number.
February 20, 2008

Billy Rios and Nitesh Dhanjani spoke about phishing today at the computer-security conference Black Hat 2008, in Washington, DC. (Phishers, who set up websites that resemble legitimate sites in order to gain access to personal information that can be used for identity theft, are searching for good folk who’ll hand over their passwords and credit-card numbers when asked.) Rios and Dhanjani trace phishers, starting from their dangled sites, back through compromised servers, to the forums where identities are bought and sold for as little as 50 cents each. “Are these phishers really the sophisticated, Einsteinian ninja hackers that the media makes them out to be?” asks Dhanjani.

It’s a good question. I swore off my cell phone this morning after seeing David Hulton of Pico Computing and a man known only as “Steve” show how their sophisticated ninja hacking could be used to listen in on my phone conversations, read my texts, and possibly even gain control of my cell phone’s core, the sim card, and use it to spy on me through my phone’s microphones even when I’m not actively making a call. But I’ll be honest with you: I’m going to go home and return to business as usual on my cell phone. I doubt that David and Steve will be around the corner from me. And although they say their process–which can decrypt the security on voice and SMS signals sent through the popular Global System for Mobile communications network–will be open source and also available as a commercial device, a would-be spy is still looking at $1,000 worth of equipment to get into the business of listening to me talk recipes with Mom.

On the other hand, phishing kits–which can be used to compromise a server, set up a fake site, and e-mail sensitive information wherever you want it to go–are easy to come by, according to Rios and Dhanjani. By slinging a little lingo, Rios says that he convinced a phisher to give him a set of 100 kits, which, had he chosen to use them, would have allowed him to set up fake versions of, Bank of America, and a slew of other sites. The kits are so easy to deploy, he says, that a would-be phisher doesn’t even need to be able to read the code in which they’re written. The fact is made even more evident by the barely hidden back doors scattered through the kits, ready to return information to the phisher who provided the kits, as well as the phisher who sets them up. Rios and Dhanjani, working on their own time, found a network of people all too willing to sell them identities, give them phishing kits, and sell them devices to collect credit-card information from ATMs.

“We could have kept following the trails for 10 years,” Rios says to a group of us after the presentation. Solutions are hard to come by, the two researchers say, as long as personal information remains static (such as in the form of social-security numbers). To even begin to make a dent, they say, companies must raise the bar a little, so that would-be phishers need a little more in the way of technical skills in order to pull off their exploits. For example, Rios says, it might help if sites requiring authentication put a cookie on the browsers of legitimate users and only allow users to log in if they have the cookie.

In the meantime, Rios says that he’s gotten paranoid about using ATMs: he even feels for the skimmers that can be installed over the pinpad or the card swipers to steal data. That’s a paranoia that could stick with me. I find that I view hordes of lazy phishers who want my credit-card number as a more immediate threat than a ninja hacker, against whom my only real defense is to unplug.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.