Underground showdown: defacers take on phishers


  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: website defacers.

On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti-phishing messages. While defacements in the past have consisted mainly of sophomoric messages and political diatribe, the recent attacks by website defacers on phishing fraud could actually help warn online users before they become victims, said Paul Mutton, a services developer for Internet monitoring provider Netcraft.

"It is undoubtedly a good thing in that they are helping to protect innocent web users," he said. "On the other hand, it is perhaps unfortunate in that it's probably illegal."

The do-good defacements are still rare incidents, but could gain steam as phishing fraud continues to rise and the online scam artists become more organized and professional, Mutton said.

Phishing, which uses email and fake websites to lure users into giving up sensitive and financial information, is a growing threat, according to the Anti-Phishing Working Group. The average number of active phishing sites reported to the group has increased an average of 28 per cent per month since July 2004 with 2870 sites discovered in March, the last month for which data is available.

While the March data is down from the preceding month, other indicators suggest the problem is worsening, said Dan Hubbard, senior director of security and technology for web-filtering firm Websense and one of eight committee members for the APWG.

"Although some of those numbers appear to be flattening, that doesn't mean the problem is getting better," Hubbard said.

The technical prowess of phishing groups has gotten better, according to another report released this week. Criminal groups now attack multiple server types with prebuilt tools for controlling compromised computers and sending out spam, according to an analysis done by the Honeynet Project, which uses heaviliy monitored servers as bait for online attackers to gain insight into the techniques of Internet criminals.

Using two incidents where honeynets - groups of honeypot servers - were compromised by phishing groups, the Honeynet Project eavesdropped on criminal organizations' methods. One compromised server in Germany, for example, was quickly loaded with multiple sophisticated websites designed to mimic well-known brands. That site had more than 720 victims visit that server's fake website in 36 hours, according to the report. (The Honeynet Project caused the web application to fail so that no user data was compromised.)

The increase in fraud activity has apparently irked some web defacers.

While website taggers have targeted the criminals behind phishing scams since at least 2003, anecdotal evidence seems to indicate that the number of defacers that have turned their attention to the fake websites is increasing. One group, The Lad Wrecking Crew, has regularly defaced a handful of fraudulent websites in conjunction with flashmob events held by Artists Against 419, a vigilante group that attempts to flood scammers' bandwidth with data requests.

The groups target so-called 419 scams, a variant of phishing named after the Nigerian law created to combat them. The modern era of phishing is exemplified by emails messages from Nigerians posing as business partners trying to move money out of the African country.

Targeting the websites created by online fraudsters is still not a common practice, however. Following the release of its anti-phishing toolbar for Internet Explorer five months ago, Netcraft users have reported some 6,600 websites that have been part of a phishing scam, but only a few sites have been found to be defaced, Mutton said.

However, with the amount of effort being put into defacing the fraudulent sites, Mutton believes that the practice will continue, and likely become more popular. While some defacers, such as Sickophish, replaced scam sites with the simple message "Warning - This was a scam site," the more prolific Lad Wrecking Crew has created complex graphics for their web defacements. A recent example has Star Wars themed graphics and nods to more than 50 other people fighting phishing scams.

"That suggests that these people pursue this 'hobby' because they genuinely want to thwart the efforts of phishers, much as open source software developers strongly feel the need to write quality software for free," Mutton said. "I see no reason why they'd want to suddenly stop; if anything, I'd expect it to grow along with phishing in general."

Defacement activity on the Internet is certainly increasing, jumping 36 per cent in 2004 compared to the previous year, said Roberto Preatoni, founder of defacement database and security site Zone-h.org.

Preatoni thinks that more defacements will not necessarily mean that more defacers will be going after fake websites. He believes that phishing fraudsters will get better at protecting their compromised website resources, essentially outgunning the less technical defacers.

"Phishers are usually using high skilled hackers to set up machines - therefore, the same cracker might patch the attacked machine in order to keep it online as much as possible," Preatoni said in an email interview.

Complicating the defense of any anti-phishing attack, once a defacer tags a website with digital graffiti, it becomes hard to prove that it was a fraudulent site, he added.

Yet, it might be a while before law enforcement puts vigilante defacers in their site, Jennifer Granick, an attorney and executive director for Stanford University's Center for Internet and Society.

It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority, Granick said.

"I don't think authorities are going to want to get their name out there for helping fake banks," she said.

However, even a good cause does not make the activity legal, she stressed. There is no exception in the law for good intent.

"The law doesn't have an exception for motive," she said. "If you access a computer without authorization, then you are committing unauthorized access."

Copyright © 2005, SecurityFocus logo

Related stories

Home PCs launch phishing attacks
Phishing gets personal
Brits fall prey to phishing
AOL seeks to block phishing sites
WiPhishing hack risk warning
Save us from spam
Virus writers have girlfriends - official
Netizens learning to tolerate spam - study
eCrime cost UK.biz £2.4bn in 2004
Trojan phishing suspect hauled in

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.