Phishers increasingly scamming other phishers

A new study conducted by Marco Cova, Christopher Kruegel, and Giovanni Vigna, provides factual evidence of a wellSample Phishing Pages known practice by experienced phishers, namely, backdooring phishing pages that they would later on distribute for free across the IT underground, in order to build a covert network where other phishers would be unknowingly providing them with the accounting data that they would eventually obtain :

“We consider a kit to be backdoored if it sends the phished information to addresses other than those found in clear in the kit’s code. We found 129 of the kits from distribution sites (slightly more than one third) to be backdoored. Among live kits, 61 (40%) are backdoored. Of these, 20 send the phished information to addresses also found in 8 kits obtained from distribution sites. Assuming that authors and users of kits are different individuals, this shows that backdoors are effective. That is, in a significant number of cases, they do not appear to be detected. At the same time, it seems that, when identified, backdoors are updated to send the stolen information to new recipients.”

Backdooring phishing pages is a rather primitive example of cybercriminals attempting to scam other cybercriminals. Moreover, a distinction should be made between a phishing kit and phishing page in order to consider the minimalistic impact of backdooring a single phishing page, or an entire phishing kit, where the second approach would aim at obtaining all of the stolen virtual goods on the second cybercriminal’s computer if he’s naive enough to get infected with a phishing kit that would ironically let another cybercriminal get hold of all the virtual goods he has already stolen.

The more sophisticated tactics have to do with attempts to hijack one another’s botnet though exploiting remotely executable flaws in popular malware kits, like Zeus and Pinch for instance, both of which are vulnerable flaws allowing someone to backdoor the command and control interfaces. Crimeware just like legitimate software is vulnerable to insecure coding practices, which when combined with the obvious monopoly of a certain crimeware kit easily puts it under a coordinated code scrutiny from the IT underground, looking for ways to exploit access to known command and control servers. Now, that’s a far more “beneficial” approach of scamming one another next to simply backdooring a phishing page, since crimeware kits serving banking malware use far more sophisticated approaches to hijack E-banking sessions, compared to a simple phishing email.

Taking a more strategic approach, a cybercriminal wanting to scam another cybercriminal would backdoor a highly expensive web malware exploitation kit, then start distributing it for free, and in fact, there have been numerous cases when such kits have been distributed in such a fraudulent manner. The result is a total outsourcing of the process of coming up with ways to infect hundreds of thousands of users though client side exploits embedded or SQL injected at legitimate sites, and basically collecting the final output - the stolen E-banking data and the botnet itself.

Ironically, there’s no such thing as a free web malware exploitation kit if we’re to consider the existence of backdoored kits, and with cybercriminals starting to realize the return on investment of having someone else to do the scam for them, knowingly or unknowingly, we’ll be definitely witnessing more activity in the spirit of cybercriminals attempting to scam other cybercriminals.

[Source: zdnet]