Attacks/Breaches
7/23/2010
01:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Imperva Identifies Cloud Based Phishing Kit

Cybercriminals can create attacks spoofing 16 sites, including Facebook, RapidShare and Skype, using the next-generation phishing toolkit.

A recently released, next-generation phishing toolkit promises to automate the tedious task of tricking people into visiting websites designed to steal their financial information. Even better, the toolkit is free. The only hitch: the creators added a backdoor, allowing them to also amass all of the data captured by their phishing toolkit, no matter who uses it.

In other words, it's a pyramid scheme written by hackers to target other hackers, as well as you. While one attacker may amass dozens or hundreds of credentials, the toolkit's creators get the combined take and likely, first stab at every stolen credential.

To date, the toolkit has been widely used to launch phishing attacks that spoof major companies. "The ones we know of are PayPal, Hotmail and Yahoo," said Rob Rachwald, director of security strategy at Imperva, which discovered the toolkit. But the toolkit's settings allow attackers to create attacks spoofing 16 sites in total, including Facebook, RapidShare and Skype. The toolkit is written in English, but includes a tutorial written in Arabic.

Attacks using the toolkit remain very much at large. Furthermore, its creators boasted that the toolkit has been downloaded more than 200,000 times, though obviously, take that number with a grain of salt. "There's no way to validate that, but even if he's exaggerating, and you go with 20,000 times, and everyone who used it manage to get 100 credentials," that's a lot of stolen data, said Rachwald.

Unfortunately, attacks based on the toolkit are likely to stay in circulation. That's because the toolkit uses separate websites for hosting the attack and gathering the stolen data -- a little seen innovation for automated phishing attacks. As a result, said Rachwald, "it may be easy to pull the front end" -- meaning the attack website, which spoofs a real website -- off of the web. "But it's hard to eliminate the back end" that collects data.

If an easy way to block the toolkit remains unknown, one thing that has been positively identified is the identity of the creators, who apparently like to brag. Rachwald said that through "a combination of us being clever and them being stupid," Imperva managed to identity the toolkit creators, including names, photographs and current location -- Algeria.

What did Imperva do, once it learned their identities? "We're not the FBI. So we let some people know," said Rachwald.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio