Attacks/Breaches
7/23/2010
01:50 PM
Connect Directly
RSS
E-Mail
50%
50%

Imperva Identifies Cloud Based Phishing Kit

Cybercriminals can create attacks spoofing 16 sites, including Facebook, RapidShare and Skype, using the next-generation phishing toolkit.

A recently released, next-generation phishing toolkit promises to automate the tedious task of tricking people into visiting websites designed to steal their financial information. Even better, the toolkit is free. The only hitch: the creators added a backdoor, allowing them to also amass all of the data captured by their phishing toolkit, no matter who uses it.

In other words, it's a pyramid scheme written by hackers to target other hackers, as well as you. While one attacker may amass dozens or hundreds of credentials, the toolkit's creators get the combined take and likely, first stab at every stolen credential.

To date, the toolkit has been widely used to launch phishing attacks that spoof major companies. "The ones we know of are PayPal, Hotmail and Yahoo," said Rob Rachwald, director of security strategy at Imperva, which discovered the toolkit. But the toolkit's settings allow attackers to create attacks spoofing 16 sites in total, including Facebook, RapidShare and Skype. The toolkit is written in English, but includes a tutorial written in Arabic.

Attacks using the toolkit remain very much at large. Furthermore, its creators boasted that the toolkit has been downloaded more than 200,000 times, though obviously, take that number with a grain of salt. "There's no way to validate that, but even if he's exaggerating, and you go with 20,000 times, and everyone who used it manage to get 100 credentials," that's a lot of stolen data, said Rachwald.

Unfortunately, attacks based on the toolkit are likely to stay in circulation. That's because the toolkit uses separate websites for hosting the attack and gathering the stolen data -- a little seen innovation for automated phishing attacks. As a result, said Rachwald, "it may be easy to pull the front end" -- meaning the attack website, which spoofs a real website -- off of the web. "But it's hard to eliminate the back end" that collects data.

If an easy way to block the toolkit remains unknown, one thing that has been positively identified is the identity of the creators, who apparently like to brag. Rachwald said that through "a combination of us being clever and them being stupid," Imperva managed to identity the toolkit creators, including names, photographs and current location -- Algeria.

What did Imperva do, once it learned their identities? "We're not the FBI. So we let some people know," said Rachwald.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.