Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A View from Erica Naone

Phishing with Ease

Ninja hackers vs. the lazy mobs who want your credit-card number.

  • February 20, 2008

Billy Rios and Nitesh Dhanjani spoke about phishing today at the computer-security conference Black Hat 2008, in Washington, DC. (Phishers, who set up websites that resemble legitimate sites in order to gain access to personal information that can be used for identity theft, are searching for good folk who’ll hand over their passwords and credit-card numbers when asked.) Rios and Dhanjani trace phishers, starting from their dangled sites, back through compromised servers, to the forums where identities are bought and sold for as little as 50 cents each. “Are these phishers really the sophisticated, Einsteinian ninja hackers that the media makes them out to be?” asks Dhanjani.

It’s a good question. I swore off my cell phone this morning after seeing David Hulton of Pico Computing and a man known only as “Steve” show how their sophisticated ninja hacking could be used to listen in on my phone conversations, read my texts, and possibly even gain control of my cell phone’s core, the sim card, and use it to spy on me through my phone’s microphones even when I’m not actively making a call. But I’ll be honest with you: I’m going to go home and return to business as usual on my cell phone. I doubt that David and Steve will be around the corner from me. And although they say their process–which can decrypt the security on voice and SMS signals sent through the popular Global System for Mobile communications network–will be open source and also available as a commercial device, a would-be spy is still looking at $1,000 worth of equipment to get into the business of listening to me talk recipes with Mom.

On the other hand, phishing kits–which can be used to compromise a server, set up a fake site, and e-mail sensitive information wherever you want it to go–are easy to come by, according to Rios and Dhanjani. By slinging a little lingo, Rios says that he convinced a phisher to give him a set of 100 kits, which, had he chosen to use them, would have allowed him to set up fake versions of Amazon.com, Bank of America, and a slew of other sites. The kits are so easy to deploy, he says, that a would-be phisher doesn’t even need to be able to read the code in which they’re written. The fact is made even more evident by the barely hidden back doors scattered through the kits, ready to return information to the phisher who provided the kits, as well as the phisher who sets them up. Rios and Dhanjani, working on their own time, found a network of people all too willing to sell them identities, give them phishing kits, and sell them devices to collect credit-card information from ATMs.

“We could have kept following the trails for 10 years,” Rios says to a group of us after the presentation. Solutions are hard to come by, the two researchers say, as long as personal information remains static (such as in the form of social-security numbers). To even begin to make a dent, they say, companies must raise the bar a little, so that would-be phishers need a little more in the way of technical skills in order to pull off their exploits. For example, Rios says, it might help if sites requiring authentication put a cookie on the browsers of legitimate users and only allow users to log in if they have the cookie.

In the meantime, Rios says that he’s gotten paranoid about using ATMs: he even feels for the skimmers that can be installed over the pinpad or the card swipers to steal data. That’s a paranoia that could stick with me. I find that I view hordes of lazy phishers who want my credit-card number as a more immediate threat than a ninja hacker, against whom my only real defense is to unplug.

More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.