Feeds

Underground showdown: defacers take on phishers

Kapow!

  • alert
  • submit to reddit

Website security in corporate America

Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: website defacers.

On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti-phishing messages. While defacements in the past have consisted mainly of sophomoric messages and political diatribe, the recent attacks by website defacers on phishing fraud could actually help warn online users before they become victims, said Paul Mutton, a services developer for Internet monitoring provider Netcraft.

"It is undoubtedly a good thing in that they are helping to protect innocent web users," he said. "On the other hand, it is perhaps unfortunate in that it's probably illegal."

The do-good defacements are still rare incidents, but could gain steam as phishing fraud continues to rise and the online scam artists become more organized and professional, Mutton said.

Phishing, which uses email and fake websites to lure users into giving up sensitive and financial information, is a growing threat, according to the Anti-Phishing Working Group. The average number of active phishing sites reported to the group has increased an average of 28 per cent per month since July 2004 with 2870 sites discovered in March, the last month for which data is available.

While the March data is down from the preceding month, other indicators suggest the problem is worsening, said Dan Hubbard, senior director of security and technology for web-filtering firm Websense and one of eight committee members for the APWG.

"Although some of those numbers appear to be flattening, that doesn't mean the problem is getting better," Hubbard said.

The technical prowess of phishing groups has gotten better, according to another report released this week. Criminal groups now attack multiple server types with prebuilt tools for controlling compromised computers and sending out spam, according to an analysis done by the Honeynet Project, which uses heaviliy monitored servers as bait for online attackers to gain insight into the techniques of Internet criminals.

Using two incidents where honeynets - groups of honeypot servers - were compromised by phishing groups, the Honeynet Project eavesdropped on criminal organizations' methods. One compromised server in Germany, for example, was quickly loaded with multiple sophisticated websites designed to mimic well-known brands. That site had more than 720 victims visit that server's fake website in 36 hours, according to the report. (The Honeynet Project caused the web application to fail so that no user data was compromised.)

The increase in fraud activity has apparently irked some web defacers.

While website taggers have targeted the criminals behind phishing scams since at least 2003, anecdotal evidence seems to indicate that the number of defacers that have turned their attention to the fake websites is increasing. One group, The Lad Wrecking Crew, has regularly defaced a handful of fraudulent websites in conjunction with flashmob events held by Artists Against 419, a vigilante group that attempts to flood scammers' bandwidth with data requests.

The groups target so-called 419 scams, a variant of phishing named after the Nigerian law created to combat them. The modern era of phishing is exemplified by emails messages from Nigerians posing as business partners trying to move money out of the African country.

Targeting the websites created by online fraudsters is still not a common practice, however. Following the release of its anti-phishing toolbar for Internet Explorer five months ago, Netcraft users have reported some 6,600 websites that have been part of a phishing scam, but only a few sites have been found to be defaced, Mutton said.

However, with the amount of effort being put into defacing the fraudulent sites, Mutton believes that the practice will continue, and likely become more popular. While some defacers, such as Sickophish, replaced scam sites with the simple message "Warning - This was a scam site," the more prolific Lad Wrecking Crew has created complex graphics for their web defacements. A recent example has Star Wars themed graphics and nods to more than 50 other people fighting phishing scams.

"That suggests that these people pursue this 'hobby' because they genuinely want to thwart the efforts of phishers, much as open source software developers strongly feel the need to write quality software for free," Mutton said. "I see no reason why they'd want to suddenly stop; if anything, I'd expect it to grow along with phishing in general."

Defacement activity on the Internet is certainly increasing, jumping 36 per cent in 2004 compared to the previous year, said Roberto Preatoni, founder of defacement database and security site Zone-h.org.

Preatoni thinks that more defacements will not necessarily mean that more defacers will be going after fake websites. He believes that phishing fraudsters will get better at protecting their compromised website resources, essentially outgunning the less technical defacers.

"Phishers are usually using high skilled hackers to set up machines - therefore, the same cracker might patch the attacked machine in order to keep it online as much as possible," Preatoni said in an email interview.

Complicating the defense of any anti-phishing attack, once a defacer tags a website with digital graffiti, it becomes hard to prove that it was a fraudulent site, he added.

Yet, it might be a while before law enforcement puts vigilante defacers in their site, Jennifer Granick, an attorney and executive director for Stanford University's Center for Internet and Society.

It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority, Granick said.

"I don't think authorities are going to want to get their name out there for helping fake banks," she said.

However, even a good cause does not make the activity legal, she stressed. There is no exception in the law for good intent.

"The law doesn't have an exception for motive," she said. "If you access a computer without authorization, then you are committing unauthorized access."

Copyright © 2005, SecurityFocus logo

Related stories

Home PCs launch phishing attacks
Phishing gets personal
Brits fall prey to phishing
AOL seeks to block phishing sites
WiPhishing hack risk warning
Save us from spam
Virus writers have girlfriends - official
Netizens learning to tolerate spam - study
eCrime cost UK.biz £2.4bn in 2004
Trojan phishing suspect hauled in

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.