Phishing the phishers: Sneaky crooks put backdoors into kits for wannabe fraudsters
Video: Think cybercriminals are happy about the rise of ransomware? Think again
It seems the old warning 'you get what you pay for' can just as easily be applied to items purchased on underground forums and the dark web as it can to anything you buy elsewhere, because unbeknown to those experimenting with free phishing kits, they're secretly being phished themselves.
An analysis of over one thousand phishing kits designed to allow wannabe cybercriminals to build phishing emails and websites found that, in a significant proportion of cases, the trainee phishers are being compromised, with their stolen data being secretly sent to the kit authors.
With phishing simple to carry out but potentially very financially rewarding -- some of the highest profile cyber-attacks of recent years began with a phishing email -- it's no wonder that newbie hackers want in.
But their lack of skill is coming back to bite some of these aspiring cybercriminals, who might find that all their ill-gotten gains are also transferred to the original author of the kit.
Researchers at Imperva analysed 1,019 readily-available phishing kits, finding underground markets filled with low-cost and free phishing kits advertised as means of providing aspiring cyber-attackers with a route into the illegal industry.
Naive, aspiring cybercriminals don't realise they're phishing attacks are being exploited by more experienced attackers.
"Underground markets are full of phishing kits at all levels and cost, some even distributed at no charge, usually revealing one of the oldest rules in the book -- you get what you pay for," said Luda Lazar, security research engineer at Imperva. "Here we found the only free cheese is in the mousetrap," she added.
While these phishing kits did provide aspiring attackers with the files necessary to create a copy of target websites and steal valuable information, many of these free offerings contain an undisclosed backdoor.
See also: What is phishing? Everything you need to know to protect yourself from scam emails and more
That means the kit author is able to secretly track the campaigns of the crooks using the software and gain access to the stolen information themselves. In doing so, they're able exploit the likes of stolen usernames, passwords, and credit card details without putting in the effort required to collect them.
As a result, the phishing kit user can't reap much from their criminal gains, as in many cases, victims will change passwords or cancel credit cards if they realise they've been targeted.
"About 25 percent of the kits contained implicit recipients which receive emails with the phishing results as well as the kit buyers who were intended to receive it. We assume that the hidden addresses belong to the kits' authors, which are actually stealing from the inexperienced phishers who deploy these kits," said Lazar.
Ultimately, by offering these phishing kits for free, it provides those behind them with the largest possible pool of victims to exploit -- and it's not as if a hacker can complain to the authorities that they've been scammed.
Recent and related coverage
This phishing attack pretends to come from someone you trust
A new phishing campaign uses invoices and other lures in order to trick victims into downloading malicious software.
Android security triple-whammy: New attack combines phishing, malware, and data theft
Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.
This Netflix-flavoured phishing attack targets your business emails
Attackers take advantage of people using corporate email addresses for consumer services.
READ MORE ON CYBERCRIME
- State-sponsored hackers turn on each other
- How to spot a phishing email [CNET]
- Cybercrime Inc: How hacking gangs are modeling themselves on big business
- Ransomware: Now cybercriminals are stealing code from each other
- One surprising statistic explains why phishing will remain the most common cyberattack for the next few years [TechRepublic]