Gone phishing

Johannesburg, 09 May 2008

E-criminals take note: the kits you need to launch phishing attacks and spoof Web sites are now available on the Internet - free.

PandaLabs, the malware detection and analysis laboratory at Panda Security, says it has discovered several free phishing kits on the Web that allow cyber-crooks to send out fraudulent e-mails.

These tools allow online criminals to spoof bank pages and e-mails, online pay platforms, Gmail and YahooMail accounts, online games (Xbox password theft) and blogs (Fotolog access credentials), says Jeremy Matthews, head of Panda Security's sub-Saharan operations.

"The really crazy thing is that these kits are free," he says, "and due to the simplicity of the tools, the number of phishing attacks is drastically increasing, causing companies and consumers large losses. According to a study conducted by Gartner, phishing attacks caused US consumers losses of $3.2 billion in 2007."

Comparable South African figures are not available although SA Fraud Prevention Services CE Pat Cunningham last month said companies had reported losses of R276 million to it from identity-theft-related fraud. That was just for the first three months of this year, he added.

Matthews says the kits operate as follows: upon accessing a URL that contains the kits, users obtain the files to create a fraudulent mail; one file allows them to spoof mails from banks and pay platforms, while the other allows them to create a fraudulent page that resembles the original.

Additionally, the kits include a PHP program, which is also free, to send e-mails from the spoofed page. Cyber-crooks can also choose the way in which to receive the stolen data: TXT files stored on a server, a message in their mailbox, etc.

The rest of the process is similar to other phishing scenarios: the false e-mail is sent to several mail addresses, with a link to a malicious page in which users are requested to enter the personal details cyber-crooks want - such as e-mail addresses and bank passwords.

"To obtain e-mail addresses to spam, cyber-crooks buy lists of addresses on the Internet, although some are free," says Matthews, adding that if "we throw free hosting services into the mix, the result is cyber-crooks launching phishing attacks at no cost whatsoever".