01:50 PM

Imperva Identifies Cloud Based Phishing Kit

Cybercriminals can create attacks spoofing 16 sites, including Facebook, RapidShare and Skype, using the next-generation phishing toolkit.

A recently released, next-generation phishing toolkit promises to automate the tedious task of tricking people into visiting websites designed to steal their financial information. Even better, the toolkit is free. The only hitch: the creators added a backdoor, allowing them to also amass all of the data captured by their phishing toolkit, no matter who uses it.

In other words, it's a pyramid scheme written by hackers to target other hackers, as well as you. While one attacker may amass dozens or hundreds of credentials, the toolkit's creators get the combined take and likely, first stab at every stolen credential.

To date, the toolkit has been widely used to launch phishing attacks that spoof major companies. "The ones we know of are PayPal, Hotmail and Yahoo," said Rob Rachwald, director of security strategy at Imperva, which discovered the toolkit. But the toolkit's settings allow attackers to create attacks spoofing 16 sites in total, including Facebook, RapidShare and Skype. The toolkit is written in English, but includes a tutorial written in Arabic.

Attacks using the toolkit remain very much at large. Furthermore, its creators boasted that the toolkit has been downloaded more than 200,000 times, though obviously, take that number with a grain of salt. "There's no way to validate that, but even if he's exaggerating, and you go with 20,000 times, and everyone who used it manage to get 100 credentials," that's a lot of stolen data, said Rachwald.

Unfortunately, attacks based on the toolkit are likely to stay in circulation. That's because the toolkit uses separate websites for hosting the attack and gathering the stolen data -- a little seen innovation for automated phishing attacks. As a result, said Rachwald, "it may be easy to pull the front end" -- meaning the attack website, which spoofs a real website -- off of the web. "But it's hard to eliminate the back end" that collects data.

If an easy way to block the toolkit remains unknown, one thing that has been positively identified is the identity of the creators, who apparently like to brag. Rachwald said that through "a combination of us being clever and them being stupid," Imperva managed to identity the toolkit creators, including names, photographs and current location -- Algeria.

What did Imperva do, once it learned their identities? "We're not the FBI. So we let some people know," said Rachwald.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-05
system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in a cookie.

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate ...

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetin...

Published: 2015-10-05
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse.

Published: 2015-10-05
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.