October 30th, 2008

Phishers apply quality assurance, start validating credit card numbers

Posted by Dancho Danchev @ 2:19 pm

Categories: Botnets, Browsers, Malware, Passwords, Phishing, Spam and Phishing

Tags: Security, Quality Assurance, Phishing Email, Dancho Danchev

With the exact number of end users interacting with phishing emails by submitting bogus data still unknown, phishers are on the other hand continuing to apply basic quality assurance processes ensuring that they will be collecting only validated credit card details, and limiting the opportunity for researchers and end users to poison their campaigns.

For instance, a recent blog post at Symantec’s Security Response blog analyzes a phishing page where the fraudster is applying credit card validation checks before accepting anything, an approach that in times when phishers are attempting to scam other phishers, can easily turn into a commodity feature for phishing pages in general — even the backdoored ones.

“Fraudsters are aware of these techniques and are continuously trying to optimize their attacks and thus their profits. As a proof of concept, shown below is a piece of PHP code revealed from a phishing attack that is intended to check the validity of the credit card number provided by the user according to card number conventions. After performing this check, the fraudster tries validating the card number by using the Luhn algorithm (figure 2). If both conditions are met (the card number appears to be correct and the Luhn algorithm is verified) the information is delivered to the drop box. This approach makes the Random Data Dilution strategy described above useless, because invalid data won’t be accepted. The piece of code in figure 3 (below) shows one of these tricks, which checks to see if the credentials provided by the user are indeed valid. It has been implemented by submitting the credentials to the original website and then identifying specific patterns in the response page in order to verify their validity.”

The phishers in this particular case are capable of achieving the validation by forwarding the submitted data to the original site, potentially exposing their campaigns in the process, if only was the targeted company properly monitoring where traffic is coming from. Phishers tend to switch tactics or introduce new ones on a quarterly basis, and with EstDomains about to face the music, yesterday Sophos already started detecting phishing campaigns targeting exclusively domain registrants by impersonating eNom and Network Solutions. Despite the potential for abuse of legitimate domains once the domain portfolio owner falls victim into the phishing scam, data mining malware infected hosts for domain registrant’s accounting data seems to be the tactic of choice on a large scale, at least for the time being.

Poisoning a phishing campaign by submitting bogus data or personal messages to the phisher isn’t the way. If you truly want to express your feelings about a phisher - report their campaigns.

Image courtesy of the Anti-Phishing Phil.