Billy Rios and Nitesh Dhanjani spoke about phishing today at the computer-security conference Black Hat 2008, in Washington, DC. (Phishers, who set up websites that resemble legitimate sites in order to gain access to personal information that can be used for identity theft, are searching for good folk who’ll hand over their passwords and credit-card numbers when asked.) Rios and Dhanjani trace phishers, starting from their dangled sites, back through compromised servers, to the forums where identities are bought and sold for as little as 50 cents each. “Are these phishers really the sophisticated, Einsteinian ninja hackers that the media makes them out to be?” asks Dhanjani.
It’s a good question. I swore off my cell phone this morning after seeing David Hulton of Pico Computing and a man known only as “Steve” show how their sophisticated ninja hacking could be used to listen in on my phone conversations, read my texts, and possibly even gain control of my cell phone’s core, the sim card, and use it to spy on me through my phone’s microphones even when I’m not actively making a call. But I’ll be honest with you: I’m going to go home and return to business as usual on my cell phone. I doubt that David and Steve will be around the corner from me. And although they say their process–which can decrypt the security on voice and SMS signals sent through the popular Global System for Mobile communications network–will be open source and also available as a commercial device, a would-be spy is still looking at $1,000 worth of equipment to get into the business of listening to me talk recipes with Mom.
On the other hand, phishing kits–which can be used to compromise a server, set up a fake site, and e-mail sensitive information wherever you want it to go–are easy to come by, according to Rios and Dhanjani. By slinging a little lingo, Rios says that he convinced a phisher to give him a set of 100 kits, which, had he chosen to use them, would have allowed him to set up fake versions of Amazon.com, Bank of America, and a slew of other sites. The kits are so easy to deploy, he says, that a would-be phisher doesn’t even need to be able to read the code in which they’re written. The fact is made even more evident by the barely hidden back doors scattered through the kits, ready to return information to the phisher who provided the kits, as well as the phisher who sets them up. Rios and Dhanjani, working on their own time, found a network of people all too willing to sell them identities, give them phishing kits, and sell them devices to collect credit-card information from ATMs.
“We could have kept following the trails for 10 years,” Rios says to a group of us after the presentation. Solutions are hard to come by, the two researchers say, as long as personal information remains static (such as in the form of social-security numbers). To even begin to make a dent, they say, companies must raise the bar a little, so that would-be phishers need a little more in the way of technical skills in order to pull off their exploits. For example, Rios says, it might help if sites requiring authentication put a cookie on the browsers of legitimate users and only allow users to log in if they have the cookie.
In the meantime, Rios says that he’s gotten paranoid about using ATMs: he even feels for the skimmers that can be installed over the pinpad or the card swipers to steal data. That’s a paranoia that could stick with me. I find that I view hordes of lazy phishers who want my credit-card number as a more immediate threat than a ninja hacker, against whom my only real defense is to unplug.