Topic: Phishers are lazy... Phishers posting credit card info for all to see

[sam]

This is a very interesting look at phising... and http://www.phishtank.com is worth a view.. (I'm glad I use opendns on my parents system, must block so much of this crap).

http://www.networkworld.com/community/node/30822

Black Hat 2008 Day 1 – Phishers posting credit card info for all to see and a new DNS cache poisoning trick

Bad Sushi: Beating Phishers at their own game - Excellent session that went into detail on how phishers think, act, and make a profit. Nitesh Dhanjani and Billy Rios (the speakers) showed us how phishers create sites, share info and code, and basically are lazy. I will definitely be blogging on this subject in more detail in the coming days but the highlights were that Phishers are storing their stolen data (credit card numbers, SSNs, ATM cards with Pins, etc) on websites that they have hacked into or on sites like guestbooks. And even worse they are not protecting their stolen data at all from access. No passwords, no encryption, no hardening of the compromised server they are using to store this on, Nothing! This means that all one need do to find this info for themselves is reverse engineer a real phisher’s website, look at their php script, and find out where they are storing the data. Then simply go there and grab the stolen data. Anyone can find an active phishing site by visiting http://www.phishtank.com, a well known site that hosts info on known bad phishing sites, similar to a URL blacklist site.
To sell things like credit cards, they showed a site called vipdump where you can buy a stolen US credit card number for $20 each. Vipdump is just one of hundreds of such sites, all of which use some form of anonymous payment system like egold or WU. And in case you didn’t know phishers call their stolen account numbers “dumps”. So one card number is one dump. They went on to talk about skimmers, the phishing community network, code sharing, etc. But I’ll leave that for another blog.

[Simon]

Luckily, anti-phishing tools seem to be on board most browsers and AV software now, but there are still many computer users who are totally oblivious to internet security measures.