Two researchers who infiltrated the phishing underground say more proactive work needs to be done to investigate, slow and even stop phishers.
"This whole problem is a symptom of this entire ecosystem that exists to steal identities, bank account and credit card information from people."
Billy Rios, Independent Security Researcher
Security researchers Billy Rios and Nitesh Dhanjani will give a presentation on their work next week at the Black Hat conference in Las Vegas. Over the course of a year, the researchers got friendly with a few phishers and discovered how they operate. Rios and Dhanjani said their work gleans insights into how phishers purchase and use their tools, how they transfer money from one person to another without disclosing their identity or location, and how they build their reputation in the phisher underground.
"There's a lot going on that is supporting all these illicit activities," Rios said. "It's really its own little world operating off of itself and we got an interesting sneak peak at how that world operates."
Rios and Nitesh discovered credit card information and other financial data being moved in bulk in open forums. Phishers usually amass about 500 credit card numbers before they can profit off them, Rios said.
"They're basically operating with impunity," Rios said. "They're out in the open for anyone to come and purchase what they have to sell."
And that world is not likely to be shut down by any technology, the two researchers say. VeriSign Inc. and several other vendors are pushing the adoption of EV SSL certificates, which turn a Web browser navigation bar green to confirm the validity of a website and red to warn users of a phishing scam. The latest browsers support the certificates and more websites are starting to use them.
While Rios and Dhanjani call EV SSL certificates commendable, they said they don't address the root cause of the problem.
"Phishing is successful because of our reliance on static identifiers," Dhanjani said. "What we really need is a revamp of the financial system in how identities are established in the real world."
Dhanjani said it's not a technology problem, but a process problem. A person's identity shouldn't be compromised if their Social Security Number is revealed, he said.
"When we get to the point where I can pull your credit report. … and even with all that information, I can't steal your identity, that's when we've made some progress, rather than a technological Band-Aid which may soften the situation for a while," Dhanjani said.
Rios said the phishing problem is bad because the barrier to enter the phishing underground is extremely low.
"Basically anybody, if they happen to stumble upon the right place, would be able to get into this industry, and after a day be able to launch their own phishing enterprise," Rios said.
EV SSL is a technology developed about a decade ago, but it was well ahead of its time, said Geoffrey Turner, senior analyst at Cambridge, Mass.-based Forrester Research Inc.
As a consultant in 1995, Turner helped VeriSign develop its digital certificate program. At the time, VeriSign collaborated with accounting firms trying to use the technology for site verification, Turner said. A period of risk aversion by auditing firms set the program back a bit, he said. Today, the browsers have standardized to support EV SSL, making it more viable in the market, he said.
So far adoption has been sluggish because many people still use Microsoft Internet Explorer (IE) 6, which doesn't support the technology. With the release of IE 7 and Mozilla Firefox 3, adoption should increase Turner said.
Researcher warns of new do-it-yourself phishing program: FaceTime malware research director Chris Boyd says his team has been trying with mixed results to take down a new do-it-yourself phishing program they found online.
"It will become a much more mainstream defense against phishing," he said. "It's turning into the principle means by which a consumer can protect himself."
Ultimately, EV SSL protects the company brand, but it also increases trust with the customer, Turner said. EV SSL is going to be an important part of the development of the company's business reputation and standing in the marketplace with consumers, he said.
"Still, consumers need to understand that it doesn't relate to anything about privacy protection and it doesn't mean that the company behind the website is going to be adequately protecting your credit card information," Turner said.
Timur Taluy, CEO at FileYourTaxes.com, said his Oxnard, Calif.-based tax servicing firm was among the first to support EV SSL. He said the technology gives the firm's customer base more confidence in the site.
"The tax business is a very prominent financial transaction that people do," Taluy said. "We wanted to make sure our niche of that business was secure and we were providing the best information to our customers to be secure on the Internet."
Rios said the research he and Dhanjani will present, will show that phishers are not sophisticated and have little understanding of sophisticated technology. Old fashioned investigating may be the answer to reducing and even stopping the phishing threat, Rios said.
"We realized that the phishing problem isn't just a Web page that's being displayed to a user someplace on their home computer," Rios said. "This whole problem is a symptom of this entire ecosystem that exists to steal identities, bank account and credit card information from people."