Phishing: Conning the Unwary for Fun and Profit
Gervase Markham
Before We Begin...
Don't Try This At Home
For Entertainment Purposes Only
Yes, I really mean it
Step 0: Be out of reach of the law
- Eastern Europe
- China
- Russia
- Style points: Diplomatic immunity
Step 1: Pick your target
- Traditional: PayPal, banks
- eBay is not so good - anti-phishing toolbar
- New wave: smaller US credit unions
- In reserve: casinos, email accounts
- Style points: George Bush
Step 2: Create your HTML
- Save it directly from the site
- Style points: Blag it off another phisher
- Hack it around; fix the links; maybe mirror the images
- Wear the user down with plenty of forms
- Style points: Ask for mother's maiden name and pet's name
Step 3: Register a domain (optional)
- Pick a plausible-sounding one
- Use a stroppy registrar
- Not worth getting a certificate
- Style points: hijack the real domain
Step 4: Get a host
- Root a box
- Or buy a pre-rooted one, cheap
- Style points: make it a .mil
- Double style points: use www.lugradio.org
Step 5: Upload and test the site
- Make sure it's working and sending back data
- Don't submit to the collector of the person you nicked it off
- Redirect to the original site afterwards
Step 6: Get a distribution mechanism
- Email spam is the favourite
- Get target addresses:
- Scrape the web
- Buy a CD of email addresses
- Just send it to your friends
- Style points: steal a customer list
Step 7: Write your spam
- Create a sense of urgency
- Make them scared
- Obfuscate URLs using HTML
- Useful words and phrases: "Dear Valued Customer",
"billing problems", "reverification", "security check",
"account lock-out"
- Style points: spell everything correctly
Step 8: Send your spam
- Use a spamming service; or
- Use your own rooted boxes
- Do it at the weekend
- Take advantage of timezones
Step 9: Wait for the harvest
Step 10: Get the money
- International fund transfers are monitored
- Use mules to withdraw the cash and post it to you
- Find them on IRC
- They take a cut (30-40%)
Step This Way, Sir...
In seriousness:
- It is a problem
- We are working on it at the browser side
- Only one small piece of the puzzle
- ...wish us luck!
The End