Original URL: https://www.theregister.com/2005/05/22/defacers_take_on_phishers_in_underground_showdown/

Underground showdown: defacers take on phishers

Kapow!

By Robert Lemos, SecurityFocus

Posted in Channel, 22nd May 2005 22:28 GMT

Groups fighting against online criminals intent on phishing have gained allies from another species of underground miscreant: website defacers.

On Thursday, Internet monitoring firm Netcraft reported that some users of the company's anti-phishing toolbar followed links to fake financial sites only to find them defaced with anti-phishing messages. While defacements in the past have consisted mainly of sophomoric messages and political diatribe, the recent attacks by website defacers on phishing fraud could actually help warn online users before they become victims, said Paul Mutton, a services developer for Internet monitoring provider Netcraft.

"It is undoubtedly a good thing in that they are helping to protect innocent web users," he said. "On the other hand, it is perhaps unfortunate in that it's probably illegal."

The do-good defacements are still rare incidents, but could gain steam as phishing fraud continues to rise and the online scam artists become more organized and professional, Mutton said.

Phishing, which uses email and fake websites to lure users into giving up sensitive and financial information, is a growing threat, according to the Anti-Phishing Working Group. The average number of active phishing sites reported to the group has increased an average of 28 per cent per month since July 2004 with 2870 sites discovered in March, the last month for which data is available.

While the March data is down from the preceding month, other indicators suggest the problem is worsening, said Dan Hubbard, senior director of security and technology for web-filtering firm Websense and one of eight committee members for the APWG.

"Although some of those numbers appear to be flattening, that doesn't mean the problem is getting better," Hubbard said.

The technical prowess of phishing groups has gotten better, according to another report released this week. Criminal groups now attack multiple server types with prebuilt tools for controlling compromised computers and sending out spam, according to an analysis done by the Honeynet Project, which uses heaviliy monitored servers as bait for online attackers to gain insight into the techniques of Internet criminals.

Using two incidents where honeynets - groups of honeypot servers - were compromised by phishing groups, the Honeynet Project eavesdropped on criminal organizations' methods. One compromised server in Germany, for example, was quickly loaded with multiple sophisticated websites designed to mimic well-known brands. That site had more than 720 victims visit that server's fake website in 36 hours, according to the report. (The Honeynet Project caused the web application to fail so that no user data was compromised.)

The increase in fraud activity has apparently irked some web defacers.

While website taggers have targeted the criminals behind phishing scams since at least 2003, anecdotal evidence seems to indicate that the number of defacers that have turned their attention to the fake websites is increasing. One group, The Lad Wrecking Crew, has regularly defaced a handful of fraudulent websites in conjunction with flashmob events held by Artists Against 419, a vigilante group that attempts to flood scammers' bandwidth with data requests.

The groups target so-called 419 scams, a variant of phishing named after the Nigerian law created to combat them. The modern era of phishing is exemplified by emails messages from Nigerians posing as business partners trying to move money out of the African country.

Targeting the websites created by online fraudsters is still not a common practice, however. Following the release of its anti-phishing toolbar for Internet Explorer five months ago, Netcraft users have reported some 6,600 websites that have been part of a phishing scam, but only a few sites have been found to be defaced, Mutton said.

However, with the amount of effort being put into defacing the fraudulent sites, Mutton believes that the practice will continue, and likely become more popular. While some defacers, such as Sickophish, replaced scam sites with the simple message "Warning - This was a scam site," the more prolific Lad Wrecking Crew has created complex graphics for their web defacements. A recent example has Star Wars themed graphics and nods to more than 50 other people fighting phishing scams.

"That suggests that these people pursue this 'hobby' because they genuinely want to thwart the efforts of phishers, much as open source software developers strongly feel the need to write quality software for free," Mutton said. "I see no reason why they'd want to suddenly stop; if anything, I'd expect it to grow along with phishing in general."

Defacement activity on the Internet is certainly increasing, jumping 36 per cent in 2004 compared to the previous year, said Roberto Preatoni, founder of defacement database and security site Zone-h.org.

Preatoni thinks that more defacements will not necessarily mean that more defacers will be going after fake websites. He believes that phishing fraudsters will get better at protecting their compromised website resources, essentially outgunning the less technical defacers.

"Phishers are usually using high skilled hackers to set up machines - therefore, the same cracker might patch the attacked machine in order to keep it online as much as possible," Preatoni said in an email interview.

Complicating the defense of any anti-phishing attack, once a defacer tags a website with digital graffiti, it becomes hard to prove that it was a fraudulent site, he added.

Yet, it might be a while before law enforcement puts vigilante defacers in their site, Jennifer Granick, an attorney and executive director for Stanford University's Center for Internet and Society.

It's unlikely that many law enforcement officials will go after Web defacers who are posting warnings to potential victims of phishing fraud. Prosecutors can pick and choose the cases in which they want to invest time, and helping out bank fraudsters is not likely a high priority, Granick said.

"I don't think authorities are going to want to get their name out there for helping fake banks," she said.

However, even a good cause does not make the activity legal, she stressed. There is no exception in the law for good intent.

"The law doesn't have an exception for motive," she said. "If you access a computer without authorization, then you are committing unauthorized access."

Copyright © 2005, SecurityFocus logo

Related stories

Home PCs launch phishing attacks
Phishing gets personal
Brits fall prey to phishing
AOL seeks to block phishing sites
WiPhishing hack risk warning
Save us from spam
Virus writers have girlfriends - official
Netizens learning to tolerate spam - study
eCrime cost UK.biz £2.4bn in 2004
Trojan phishing suspect hauled in