June 2009 Archives

I regularly see a lot of extremely dubious and rather slimy techniques deployed to get end-users to run horrible things or fall for scams. Generally, the targets tend to be the technologically inept or granny, sitting in the corner. See granny? Sure you do, she's right over there replying to the Third King of Nigeria and helping him out with his cash relocation problem.

However, I've come across a scam rapidly spreading across numerous underground forums and IRC channels that is truly one of the scummiest tactics I've seen in some time.

How bad? Allow the following screenshot to spell it out for you.

neopets0.gif

Ladies and Gentlemen, allow me to present you with the winner of the Lowest Tactic Used in 2009 award. Do your kids play Neopets? If they do, you might want to read this and gently warn them of the dangers.

Neopets: What is it?

Neopets, originally uploaded by Paperghost.

From Wikipedia:

Neopets (originally NeoPets) is a virtual pet website, based around the virtual pets that inhabit the virtual world of Neopia. Visitors can create an account and take care of up to four virtual pets, buying them food, toys, clothes, and other accessories using a virtual currency called Neopoints. Neopoints can be earned through playing games, investing in the game's stock market, trading, and winning contests such as customization and art. Neopets also operates a pay-to-play version known as Neopets Premium, which offers additional features and benefits for a monthly fee of $7.99 (USD).

The scam is based around one of the core mechanics of Neopets: kids love rare items and things that nobody else has. Neopets has magical paintbrushes - stay with me on this - and they're rather hard to get hold of nowadays. As an example of that, here's a petition posted in 2004(!) that people are still posting comments to. In addition, here's a list of current prices - now consider a newcomer to Neopets starts with the rather paltry sum of 1000 Neopoints, and you can see why there's a desire for these items.

This is where we target some 12 year olds with social engineering. Oh dear...

The Method

Neopets is effectively social networking for younger kids and some teenagers. Or, as someone on a hacking forum put it while discussing this particular attack,

neopets4.gif


...ouch. No surprise, then, that the site has many communal areas where people can chat, hang out, send each other messages and see what's going on. Our hackers will move to the trading areas, where kids can post requests for items they'd like to buy, sell or trade. Then it's just a case of hunting out posts like this....

neopets5.gif 

...and that child is, officially, doomed. Asking for paintbrushes on the trading areas of Neopets will mean that they're likely to be the recipient of a Neomail (private messaging on the Neopets website) that looks like this:


Neopets Scam, originally uploaded by Paperghost.

From there, it's just a case of said child visiting the external link, downloading a file and being keylogged into infinity and beyond. Then the fun really begins.

neopets6.gif

Wave goodbye to your rare items, kids - and you didn't want your XBox Live account (that potentially has credit card details attached to it) anymore either, did you? The attackers then use the familiar tactic of taking a previously trusted source and using it to attack their friends & other newcomers to the site. Alongside hanging out in the handily labeled "Newbies" section and spamming messages, they'll also post fake "It worked" messages from compromised accounts to the forums of threads started by the attacker, much like people do on Youtube to give the impression that fake programs actually work (scroll down to "positive comments").

Additionally, the PC is quite possibly used by other people, or indeed belongs to someone else altogether....

neopets7.gif

...which would be, as you can imagine, a "bad thing".

Shall we see some of the reaction to this attack method from the peanut gallery?

neopets8.gif

"Stupid 12 year olds" are apparently in for a smackdown.

neopets9.gif

The above individual is clearly excited by this.

neopets10.gif

...well, if you're going to intentionally target young kids you might as well go the whole hog and dump them into a Botnet too. The messages aren't just being posted and sent by private message on the Neopets site - they're also turning up on third party websites too.

neoforums.gif
Click to Enlarge

Interestingly, sites such as Neopets are accessed in corporate environments too - FaceTime collects live traffic data from commercially deployed Unified Security Gateway appliances at more than 80 mid to large enterprises worldwide that have opted into this program, representing the daily Web-based activities of more than 100,000 corporate workers.

During the past week, these corporate workers have accessed 99 different virtual worlds from their work computers, and at least half of those are targeted at children. Perhaps the kids are asking their parents to check on their Neopets at work or see if the latest friend request on Myspace has been approved?

At any rate, let's hope they're wary of too-good-to-be-true paintbrush deals. Whether at home or in the workplace, "offers" such as the ones above should be avoided and anyone sending your child messages about paintbrush creators should report them here (you'll need to be logged in to access that URL).

I never thought I'd have to advise young children to stay frosty, but there you go...
There's quite a few autoclickers around at the moment (programs that will attempt to cheat pay per click networks) - thankfully the majority seem to be fairly unreliable. Like this one:

buxhck1.gif
Click to Enlarge

A custom built web browser designed with the affiliate clickfrauder in mind, it gives everything the budding cheat could want.

Apart from a working program, that is. But hey, error messages can be fun too!

This next one is a little slicker, however, and doesn't seem to crash and burn once you fire it up.

buxhck2.gif
Click to Enlarge

You want options? You got options! Select who you'd like to defraud today:

buxhck3.gif


Decide which "clicking model" to roll with:

buxhck4.gif

Is it proxy time yet? It is? Oh dear.

buxhck5.gif

You know, I'd be willing to bet money this thing has the ability to fake browsers to go with your phoney clicks...

buxhck6.gif

...sigh. And let's not forget the obligatory "About" ramble, which seems rather down where the whole "use of this program by PTC owners" idea is concerned.

buxhck7.gif

I wonder why...

You've probably already seen what happened to Neda - it was inevitable that people with dubious intentions would seize upon this event as a cheap way to make some money.

Sure enough, we're seeing a fair few links starting to go out on Twitter that mention Neda, which (if clicked) will take the end-user to fake Codec installers. In other words, this...

neda101.jpg

...will lead to this:

neda102.jpg
Click to Enlarge

The danger, of course, is that with this being such an emotive issue many people might simply assume the links are genuinely about something and retweet them without checking first. Thankfully, Bit.ly seem to be catching a lot of these links:

neda103.jpg
Click to Enlarge

I had no idea they did that...
Here's a few screenshots of sites launching DDoS attacks on various official Iranian Government websites. The first attempts multiple requests as soon as you open it:

irdds1.gif

The second is a little slicker:

irdds2.gif
Click to Enlarge

...and lets you push a button for your target of choice. There's obviously quite a few of these sites springing up at the moment (and it would be premature to expect the number to decrease), but I do wonder if lots and lots of DDoS attacks winging their way to Iran could actually make it more difficult for people on the ground to get word out on what's going on over there...
Here's an EMail bombing program currently being pimped in the digital underground.

ebomz1.jpg

Sure, it sounds like a cool way to annoy people - enter their address, and watch them drown in a sea of identikit mail bombs.
 
However - if you try to download the program, you'll be presented with this:

ebomz2.jpg

That's right - you have to register on a forum.

Think about that for a second. You just gave some random guy off the Internet - the creator of a Mail Bombing program - your EMail address.

I mean, there's lemmings and there's cliffs, but there's also running into a hail of Tommy Gun fire screaming DO IT, DO IT NOW.

This is one of those moments.
Since January, I've been following a particular kind of moneymaking scheme with interest. Originally, you paid a "small shipping fee" to have information on Government loans (that you could get for free anyway) sent to your door - then finding yourself being billed every month. From there, it evolved into coughing up a shipping fee in return for some magical "make money from Google" program, but the basic idea remained the same.

Shall we take a look how this one has progressed?

First, they presented you with the Obama Stimulus Program.

ob1.gif
Click to Enlarge

Then they wheeled out a moneymaking man of mystery (that would be "Kevin Hoeffer") who couldn't decide if he was making a fortune from Government Grants or Google.

jeff2.gif
Click to Enlarge

To go with the fake blogs, fake blog comments were thrown into the mix that actually made it a lot easier to keep track of all the fake Kevins. Or Jeffs. Or...whatever his name is / was.

jeff3.gif


Kevin Hoeffer recently returned, complete with what must have been some pretty extensive plastic surgery and a brand new website pimping his "Two Step Formula". Check out his "new ride":

kvn00.jpg
Click to Enlarge

Someone better tell him to call the police, because Steve Pickens has apparently stolen his car.

kvn001.jpg
Click to Enlarge

...and on it goes.

The most recent version was highligted by Kevin Poulsen of Wired fame. A good portion of the URLs mentioned in this post now link to the new site, which is designed to look like a genuine news website:


Live at 5, this site is a fake, originally uploaded by Paperghost.

I'm still trying to get my hands on the URLs involved (and I'll update the post as I get them), but the one cited by Kevin is

http://news5alert.com

and there's also another one (called the "Bakersfield Gazette News") at

bakersfieldgazette.com

All these sites currently lead to something called the "Cash Secret Club" (ooh!) which uses a fake countdown timer and the panic inducing tactic of claiming they only have "42 slots open" to get you to part with your cash.


Cash Secret Club, originally uploaded by Paperghost.

As you probably guessed, the URL for that site is

cashsecretclub.com

with another one located at

google-money-master.com

so feel free to add them all to your blocklists, unless the thought of paying $1.00 for shipping...."something"....to your home address while potentially having billing issues (to the tune of $79.95) like this person did is an appealing one.

Which it isn't. And that's the truth whether your name is Kevin, Jeff or Joey Joe Joe Jones Junior Shabadoo...
Given the furore over the new iPhone 3.0 OS hitting recently, it's no surprise that spammers are taking advantage of this on Twitter. Already, we've seen iPhone spam leading to high definition TV offers, and sure enough there's a fresh campaign now doing the rounds.

 If you see something like this:

twtsmpillz1.jpg

...then it's a fair bet clicking the link will take you to a "male enhancement" website complete with pictures of men's bits that you'd probably rather not see in work or whatever:

twtsmpillz2.jpg
Click to Enlarge

The URL in question is

enlargenew.com

Interestingly, aside from the usual deluge of spam profiles pimping the links, we've heard there are regular Twitter users complaining about being "hacked" and sending these same messages. In all probability, there's a phishing aspect to this particular campaign and that's why people are seeing these messages go out from their own accounts.

As a final note, the title of the spam appears to be taken from this article on MobileCrunch.

Be careful what you click...
A few days ago, I wrote about a cancer support blog:

xtrememillionsuk.blogspot.com

...that kept popping up in Twitter links, always as a result of outrageously OTT spam messages. I did wonder at the time if the site owner had simply purchased an advertisement package that (unknown to them) involved mass Bot spam. Besides the possibility of potential Google Ad click fraud (and it's doubtful random visitors to a random cancer support blog would suddenly feel compelled to start clicking every Google ad in sight) I couldn't really work out the angle, although the URL clearly has a spammish twang to it.

Well, Rik Ferguson of Trend Micro went and double checked the site the other day and came back with some fresh information. I don't recall seeing this at the time so perhaps it's only just "gone live", so to speak. Or maybe I just missed it, who knows. Anyway...

Here's some more Twitter spam, with the now familiar OTT headlines:

rfrgsn2.jpg
Click to Enlarge

"Obama has just been killed", "Mousavi hilton has cancer" and "Stephen Colbert hit a woman" are all going to drag in the clicks from curious onlookers. They all take you to - you guessed it - the cancer support blog.

Cue Rik Ferguson, who found that at least some of the shortened URLs are apparently going through Tweetbucks and deposit you at the cancer blog via:

links.tweetbucks.com/links/redirector?siteID=rQ3yu4kdYcAXB7gbrhmoRSxaO&linkUID=f1ca20c1-1275-44be-94db-94f4b98b135a&short=bit.ly&href=http%3A%2F%2Fxtrememillionsuk.blogspot.com%2F

What is Tweetbucks?

"
When people click your TweetBucks shortened links, we convert them to affiliate-enabled links by referencing our database of 1000's of online merchant programs. Every time your recommendation results in a purchase, the online merchant pays a commission. So tell your followers about the products and services you like. The more you recommend, the more you can earn."

It seems someone is trying to earn some cash from dubious links on Twitter at Tweetbucks expense. From this page on Adbrite, we can see the cancer blog gets a fair amount of traffic at present:

Pageviews per day [?] :      Over 2,800
Unique users per day [?] :     Over 2,800

...so there is at least some potential for raking in a bit of cash with this one. We'll be notifying the various services who have adverts / PPC services on the site and see if we can reduce the amount of "dead world leader" spam currently clogging up Twitter. Thanks to Rik for the additional information!
Here we have yet another Steam Phish, this one involving some forum based scammery. Our phishing friend sets up a forum account on the official Steam forums, then sends random people a "scary" message like this:

stvvc09.jpg
Click to Enlarge

Assuming the victim is suitably terrified by dire warnings of account hackings, they'll promptly jump over to

valve-ipfix.tk

which is a redirection URL hiding the "real" URL at

steampowerness1.awardspace.us

...and the victim will then enter their Steam login credentials to the phisher.

Here it is in all its phishy glory:

stvvc10.jpg
Click to Enlarge

Avoid.
There's quite a few sites being hacked at the moment, with the hacked pages redirecting to the following "calling card":

hkfrdmz1.jpg
Click to Enlarge

.....ouch.

Step 1: Obtain a wonderfully cool looking "Gmail Hacker" program.

gmlhckrz1.jpg

Step 2: Enter the GMail address of your intended victim, without stopping to wonder why the application is asking for YOUR login details too:

gmlhckrz2.jpg

Step 3: Find yourself dazzled by flashing lights and progress bars after you hit the "Hack Them" button.

gmlhckrz3.jpg

...ooh. Progress bars.

Step 4
: Pull a sad face as your wonderful hacking program informs you that there "was a problem".

gmlhckrz4.jpg

Man, I didn't see that one coming at all.

Step 5: Take up astral projection, float over to the program creators house, wind back time (hey, if you can project yourself in an astral fashion you've probably mastered the art of time travel too) and ask yourself why they're putting their own GMail details into the building tool that creates the GMail hacking program you'll soon be playing with:

gmlhckrz5.jpg

Step 6: Wind time forward a bit then check out the latest EMail he's just been sent. Amazingly enough, it came from the hacking program you tried to run earlier. Not so amazingly, it contains your OWN login details.

gmlhckrz6.jpg

Congratulations, you just hacked yourself.

Don't you feel so much better now?

Pastebin Botnets?

| | Comments (1)
I've always been interested in Botnet research, and a piece of code in circulation on forums at the moment seemed interesting enough to write about. The subject is "Pastebin Botnets", but first we'd better talk a little bit about Pastebins...

Pastebins - what are they?

From Wikipedia:

A pastebin, also known as a nopaste, is a web application which allows its users to upload snippets of text, usually samples of source code, for public viewing. It is very popular in IRC channels where pasting large amounts of text is considered bad etiquette. A vast number of pastebins exist on the Internet, suiting a number of different needs and provided features tailored towards the crowd they focus on most.

Pastebins have become very popular in certain hacking communities, where quick and easy sharing of a targets personal information ("Dox") is perfectly at home in the world of pastebins.

pbinbot1.jpg
Click to Enlarge

That's for another writeup, but at least we now have a decent idea of Pastebins and how easy they make things where rapid sharing /storage of data is concerned.

What does this have to do with Botnets? Well, over the past week or two I've seen a piece of code floating around on various forums that (according to the author) has the potential to be used in conjunction with a Pastebin to issue commands to a Botnet. I'm not aware of pastebins being used for issuing Botnet commands (though of course that doesn't necessarily mean it's a new technique) and was curious to see if this is indeed something relatively new or a method that's been around for a while.

Why is a Pastebin Botnet a good idea for a Botnet owner?

In a nutshell, the Botnet owner can post Botnet drone commands quickly and without fuss to a Pastebin page (your "Botnet Hub"), and the drones will carry out those commands.

Web based Botnets have been all the rage for some time, as they're usually harder to detect than the rather obvious IRC traffic of old. There are some other advantages, too - Pastebins are plentiful and the main sites (such as Pastebin.com) are rarely offline.

In addition to this, you don't have to waste time setting up webpages & hosting accounts while hoping your host doesn't shut you down - it's simply a case of cutting and pasting text onto a Pastebin. If your page dies, it takes seconds to start again (as a sidenote, there's an interesting recent post here regarding the use of RSS feeds in conjunction with Pastebins to issue commands to Botnets from changing locations which is pretty smart).

As you can see then, Pastebins appear to be a bit of a hot topic for people discussing Botnets at the moment and a clever spin on web based Botnets in general. So how does it work?

Ye Olde Disclaimer

Although the idea behind it is sound, it seems the code doing the rounds on various forums (written in Perl) is "proof of concept" and would need some work doing to it to unleash a fully formed Botnet. Despite this, according to the creator it can already read pastebin posts for text (which are then used to issue commands to the Bots), post in the previously mentioned "Botnet hub", post in its own individual private pastebin, and get the latest post by the botnet owner.

Here's a few screenshots of said code:

pbbnet2.jpg
Click to Enlarge


pbbnet3.jpg
Click to Enlarge

The idea of using Pastebins in this way is a clever one -  I've seen people post Bot drone code (which needs compiling in an external application) to Pastebin pages for "storage" many times (in much the same way people post "dox" to pages for safe keeping), but this is the first time I can remember seeing someone thinking about using a Pastebin itself to act as a kind of Command & Control center for a Botnet.

If you've seen this technique before, feel free to share your thoughts in the comments - it's certainly one of the more interesting Botnet ideas I've seen in a while.

More KoobFace

| | Comments (0)
There's a link currently in circulation that does pretty much what you'd expect it to - drop you onto a site hoping you'll install the executable.

The site in question is

eurostandart.biz/publicdvd/

And going there redirects you to

86.20.21.129

which looks like this:

yuotubez111.jpg
Click to Enlarge

This is, of course, one of those fake Youtube pages called "Yuotube". Avoid, steer clear, run away...
A friend of mine had this "exchange" on Skype a few days ago:

[10:36:19 AM] SHAHEEN: FROM: AHMED.S.
EMAIL: shhnahmed5@gmail.com
 
Hello [NAME REMOVED],
 
I have tried to reach you on Skype phone, but your line was busy, so I decided to write you this message.  I have been in search of someone with this last  name "[NAME REMOVED]", so when I saw you online, I was pushed to contact you and see how best we can assist each other. I am AHMED.S, a Bank Officer here  in U. A. E. I believe it is the wish of God for me to come across you now. I am having an important business discussion I wish to share with you which I  believe will interest you, because it is in connection with your last name and you are going to benefit from it. 
 
One Late Michael [NAME REMOVED], a citizen of your country had a fixed deposit with my bank in 2003 for 60 calendar months, valued at US$26,700,000.00 (Twenty Six Million, Seven Hundred Thousand US Dollars) the due date for this deposit contract was last 22nd of February 2008.  Sadly Michael was among the death victims in   the May 26 2006 Earthquake disaster in Jawa, Indonesia that killed over 5,000 people.  He was in Indonesia on a business trip and  that was how he met his   end.  My bank management is yet to know about his death, I knew about it because he was my friend and I am his account officer.  Michael did not mention any   Next of Kin/ Heir when the account was opened, and he was not married and no children.

Last week my Bank Management requested that Michael should give  instructions on what to do about his funds, if to renew the contract.  I know this will  happen and that is why I have been looking for a means to handle the   situation, because if my Bank Directors happens to know that Michael is dead and do not have any Heir, they will take the funds for their personal  use, so I  don't want such to happen. That was why when I saw your last name I was happy and I am now seeking your co-operation to present you as Next of Kin/ Heir to   the account, since you have the same last name with him and my bank head quarters will release the account to you. There is no risk involved; the transaction   will be executed under a legitimate arrangement that will protect you from any breach of law.

It is better that we claim the money, than allowing the Bank Directors to take it, they are rich already.  I am not a greedy person, so I am suggesting we   share the funds equal, 50/50% to both parties, my share will assist me to start my own company which has been my dream.  Let me know your mind on this and   please do treat this information as TOP SECRET. We shall go over the details once I receive your urgent response strictly through my personal email address, shhnahmed5@gmail.com 
 
We can as well discuss this on phone; let me know when you will be available to speak with me on Skype.  Have a nice day and God bless. Anticipating your  communication.
 
AHMED.S.
shhnahmed5@gmail.com


One to avoid...


Well, this is something you don't see everyday.

There's a fair amount of spambot profiles clogging up Twitter at the moment, all of which look a little like this and claim a British National Party leader has been shot and killed:

bnpsprun1.gif

There's quite a few of them about, check out the Twitter Trends page.

bnpsprun2.gif

Bizarrely, all of them take you to what looks like a genuine cancer support blog.

bnpsprun3.gif
Click to Enlarge

I'd like to think the owner of such a site wouldn't be crazy enough to attempt to drive traffic using spambots in this very surreal fashion, so I can only hope they saw a "promote your site" package and it wasn't quite what they were expecting...

Here's a website called

GamingHarbor.com

which is a site claiming to offer "free games" in return for installing a Toolbar. The site is owned by a company called based in Cheung Sha Wan, Hong Kong.

Aside from the rather suspect "Limited Time" notice on the splash page (does anyone actually believe claims like that?) and the fact that certain links taking you to the page will claim "for your region only" messages despite the fact that anyone can clearly download it from anywhere, the biggest bit of truth stretching is reserved for the large image splash guaranteed to get any gamer salivating:

Oblivion! Dead Rising! Fable 2! Grand Theft Auto 4! You're not actually going to get any of these games, but who cares - if they convinced a passing user to download and install this Toolbar on the strength of that graphic then "Dubious Marketing 101" has done its job.

The program itself comes from

desktopsmiley.com

...and continues to put the idea into the mind of the downloader that there'll be some sort of console related "bonus" at the end of all this by making the Executable look like the buttons on a Playstation 2 joypad:

gharbor2.jpg

The installer splash screen continues this trend - not content with riffing off the back of what might be the most famous joypad related button icons in memory, they then throw in what's clearly designed to be an XBox 360 joypad graphic too:

ghrbz100.jpg
Click to Enlarge

The Playstation button icons floating off directly above it is a nice touch, I guess. Anyway, we're only moments away from must be some amazing console type deal and then...

gharbor3.jpg

....horror of horrors! For some reason, they don't want this to be installed on a virtual PC! Could this be because they really don't want people like myself testing it then telling the World how bad a deal it is?

Oh well, time to break out a real PC then. You'd think people would learn by now that if someone wants to test something, then they're going to test it. Anyway...

gharbor4.jpg

...wait. Internet optimizers, cashback assistants and media access startup? What are those? Why do I want them? Who knows, but wading through the EULA that's practically biblical in length doesn't really help. Onwards and upwards, we agree to the install and then...


Oh good. Bingo., originally uploaded by Paperghost.

...we find the Toolbar is indeed installed, and our browser is taking us to a website about bingo. The fact that there's no visible sign anywhere on the desktop in relation to optimizers or cashback assistants doesn't trouble our gamer - he just wants to go PEW PEW a lot. With that in mind, he jumps over to the other side of the Toolbar and clicks what must be the answer to his prayers:

gharbor6.jpg

Call it a hunch, or some magical form of intuition - but despite another image of an XBox controller, I suspect this is going to end badly. Sure enough:



Wait, this isn't GTA4!, originally uploaded by Paperghost.

...our confused gamer is taken to

myfreegamespage.com

which (it's fair to say) probably isn't the magical console games factory he was expecting.

What we're left with, is a collection of mind blowingly awful games that in no way, shape or form represent the titles splashed all over the main GameHarbor website. Some require you to download gaming clients then hose 150MB of your bandwidth to play things that are probably bested by free flash games; others will probably make our Toolbar toting gamer rip his hair out as he's installed a Toolbar to "play free games", only to find...

gharbor8.jpg

...he has to either play "free" for an hour, or BUY the "unlimited version" for $6.99.

You couldn't make it up. But then you don't have to, as the face punching reality of lame advertising that promises much and delivers little is already with us.

Avoid this harbour like the plague - the real thing is much better, and you don't have to worry about Internet Saving Optimizers, either...
Here's the latest site to avoid due to it being completely worthless:

streaminghddivx.com

Like so many others of its ilk, it promises tons of "free movies" in return for you installing Zango.

strhddivx1.jpg
Click to Enlarge

Shall I show you a screenshot of the funky installer before it all goes horribly wrong? Okay then. I know you love pictures of installers; who am I to argue?

strhddivx2.jpg
Click to Enlarge

Wow, "100% free unlimited access to 10000+ videos"! I guess this is the point where I say "Imagine your dismay, then, as you fire up the prompt, click Start, install Zango and click on the "Play" button for Transformers 2, only to find...."

strhddivx3.jpg 

....that you're clicking a link taking you to movies.yahoo.com instead.

What, you didn't actually think one of these pot boilers was ever going to turn out to be the real deal, did you? Oh, you didn't? Why am I not surprised...
Sadly, no. It is, however, a rather popular bit of Youtube chain letter comment spam currently doing the rounds:

sflu1.png

Sadly, touching your nose while saying a name isn't likely to be adopted by the World Health Organisation anytime soon...
Pharming has been around for a few years now, and most (if not all) pharming attacks I've read about usually involve techniques far beyond your average script kiddie. From Wikipedia:

Pharming (pronounced farming) is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real addresses -- they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned".

Curiously, one individual seems to be whipping up a frenzy on numerous hacking / cracking boards recently, claiming to have invented a "new, revolutionary form of phishing". It's actually "just" Pharming by another name - "Phisher Arms" (a Phisher Arm being the executable used to alter a computers hosts file) - but while being entirely ignorant of Pharming, he's also promoting a broadening and deepening of the amount of script kiddies happy to adopt such tactics. While there's a certain comedy value to him reinventing the wheel, mass adoption by wannabe pharmers is not a good thing, and there's never been a better time not to click on unknown attachments or run strange files...

In the beginning

On the 30th of April 2009, a new video appeared on exploit database Milw0rm, rather breathlessly called "Desktop Phishing: The New Art of Phishing". Along with the video came lots of graphics:

dtph1.jpg
Click to Enlarge

dtph3.png
Click to Enlarge

...and a soon to be released E-Book(!), along with an audacious bid for fame in the form of a Wikipedia page which was (unsurprisingly enough) hit with the Banhammer.

In a nutshell, it works like this:

1) Have a random executable file to hand. It can be anything, though obviously you want it to appeal to the victim you intend to send it to.

2) Bind it with a modified hosts file in such a way that it replaces the victims original hosts file when the executable runs.

3) Insert sites such as Paypal, banking sites, Ebay, whatever....into your modified hosts file, and have each of them point to an external IP address for your own computer. I bet you can see where this is going...

4) On your own computer, you host the phishing page using server software such as wampserver.

5) When the victim tries to reach Paypal or a similar site from their computer, they are of course taken to the phish page running on the attackers PC which will still say "Paypal.com" in the address bar. When the victim enters their details, they're actually placing them directly onto the attackers computer - note the URL at the top:

phisherarms.jpg

Whoops.

To be fair to our wheel inventing pharmer, it's an interesting technique and will no doubt be adopted en masse by the rank and file of "this is way too hard for me" wannabes out there. His video has already been viewed over 12,000 times - by comparison, most other entries on the Milw0rm frontpage are in the low thousands:

dtph2.gif
Click to Enlarge

Google "Phisher Arms" or "Desktop Phishing" and you'll already find a lot of hacking forums promoting this as the best thing ever - and they're just the ones publicly viewable.

Whatever you want to call them, there's probably quite a few of these "Phisher Arms" in circulation at the moment given that his video hit a good few weeks ago. As always, be careful what files you download...

About this Archive

This page is an archive of entries from June 2009 listed from newest to oldest.

May 2009 is the previous archive.

July 2009 is the next archive.

Find recent content on the main index or look in the archives to find all content.