[ISN] Underground showdown: defacers take on phishers

From: InfoSec News (isn@private)
Date: Fri May 27 2005 - 00:25:40 PDT


Forwarded from: security curmudgeon <jericho@private>

http://www.theregister.co.uk/2005/05/22/defacers_take_on_phishers_in_underground_showdown/

By Robert Lemos, SecurityFocus
22nd May 2005 

Groups fighting against online criminals intent on phishing have
gained allies from another species of underground miscreant: website
defacers.

On Thursday, Internet monitoring firm Netcraft reported that some
users of the company's anti-phishing toolbar followed links to fake
financial sites only to find them defaced with anti-phishing messages.  
While defacements in the past have consisted mainly of sophomoric
messages and political diatribe, the recent attacks by website
defacers on phishing fraud could actually help warn online users
before they become victims, said Paul Mutton, a services developer for
Internet monitoring provider Netcraft.

"It is undoubtedly a good thing in that they are helping to protect
innocent web users," he said. "On the other hand, it is perhaps
unfortunate in that it's probably illegal."

The do-good defacements are still rare incidents, but could gain steam
as phishing fraud continues to rise and the online scam artists become
more organized and professional, Mutton said.

Phishing, which uses email and fake websites to lure users into giving
up sensitive and financial information, is a growing threat, according
to the Anti-Phishing Working Group. The average number of active
phishing sites reported to the group has increased an average of 28
per cent per month since July 2004 with 2870 sites discovered in
March, the last month for which data is available.

While the March data is down from the preceding month, other
indicators suggest the problem is worsening, said Dan Hubbard, senior
director of security and technology for web-filtering firm Websense
and one of eight committee members for the APWG.

"Although some of those numbers appear to be flattening, that doesn't
mean the problem is getting better," Hubbard said.

The technical prowess of phishing groups has gotten better, according
to another report released this week. Criminal groups now attack
multiple server types with prebuilt tools for controlling compromised
computers and sending out spam, according to an analysis done by the
Honeynet Project, which uses heaviliy monitored servers as bait for
online attackers to gain insight into the techniques of Internet
criminals.

Using two incidents where honeynets - groups of honeypot servers -
were compromised by phishing groups, the Honeynet Project eavesdropped
on criminal organizations' methods. One compromised server in Germany,
for example, was quickly loaded with multiple sophisticated websites
designed to mimic well-known brands. That site had more than 720
victims visit that server's fake website in 36 hours, according to the
report. (The Honeynet Project caused the web application to fail so
that no user data was compromised.)

The increase in fraud activity has apparently irked some web defacers.

While website taggers have targeted the criminals behind phishing
scams since at least 2003, anecdotal evidence seems to indicate that
the number of defacers that have turned their attention to the fake
websites is increasing. One group, The Lad Wrecking Crew, has
regularly defaced a handful of fraudulent websites in conjunction with
flashmob events held by Artists Against 419, a vigilante group that
attempts to flood scammers' bandwidth with data requests.

The groups target so-called 419 scams, a variant of phishing named
after the Nigerian law created to combat them. The modern era of
phishing is exemplified by emails messages from Nigerians posing as
business partners trying to move money out of the African country.

Targeting the websites created by online fraudsters is still not a
common practice, however. Following the release of its anti-phishing
toolbar for Internet Explorer five months ago, Netcraft users have
reported some 6,600 websites that have been part of a phishing scam,
but only a few sites have been found to be defaced, Mutton said.

However, with the amount of effort being put into defacing the
fraudulent sites, Mutton believes that the practice will continue, and
likely become more popular. While some defacers, such as Sickophish,
replaced scam sites with the simple message "Warning - This was a scam
site," the more prolific Lad Wrecking Crew has created complex
graphics for their web defacements. A recent example has Star Wars
themed graphics and nods to more than 50 other people fighting
phishing scams.

"That suggests that these people pursue this 'hobby' because they
genuinely want to thwart the efforts of phishers, much as open source
software developers strongly feel the need to write quality software
for free," Mutton said. "I see no reason why they'd want to suddenly
stop; if anything, I'd expect it to grow along with phishing in
general."

Defacement activity on the Internet is certainly increasing, jumping
36 per cent in 2004 compared to the previous year, said Roberto
Preatoni, founder of defacement database and security site Zone-h.org.

Preatoni thinks that more defacements will not necessarily mean that
more defacers will be going after fake websites. He believes that
phishing fraudsters will get better at protecting their compromised
website resources, essentially outgunning the less technical defacers.

"Phishers are usually using high skilled hackers to set up machines -
therefore, the same cracker might patch the attacked machine in order
to keep it online as much as possible," Preatoni said in an email
interview.

Complicating the defense of any anti-phishing attack, once a defacer
tags a website with digital graffiti, it becomes hard to prove that it
was a fraudulent site, he added.

Yet, it might be a while before law enforcement puts vigilante
defacers in their site, Jennifer Granick, an attorney and executive
director for Stanford University's Center for Internet and Society.

It's unlikely that many law enforcement officials will go after Web
defacers who are posting warnings to potential victims of phishing
fraud. Prosecutors can pick and choose the cases in which they want to
invest time, and helping out bank fraudsters is not likely a high
priority, Granick said.

"I don't think authorities are going to want to get their name out
there for helping fake banks," she said.

However, even a good cause does not make the activity legal, she
stressed. There is no exception in the law for good intent.

"The law doesn't have an exception for motive," she said. "If you
access a computer without authorization, then you are committing
unauthorized access."

Copyright © 2005



_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Fri May 27 2005 - 02:17:10 PDT