This week on Salted Hash we’re joined by Lookout’s Jeremy Richards, who manages the @PhishingAI account on Twitter, as well as a good friend and fellow reporter from Ars Technica.
All this week, while we’re on location in Las Vegas, Salted Hash has been discussing phishing and the impact it has had on the public. Today, we’re getting an insider view on how @PhishingAI operates, and learning about a recent phishing campaign targeting Apple users.
The man behind PhishingAI:
Jeremy Richards is clever, and when it comes to hunting and exposing phishing campaigns on behalf of Lookout, a mobile security company based in San Francisco, he’s relentless. Currently, Lookout and Richards are processing about 4,000 phishing kits each month. But in order to do so, there is a lot of things happening on the backend.
“We’ve written a bunch of code that looks at infrastructure and the way phishers set up their phishing sites, and so we’ve written code to analyze those, classify them, categorize them, and block them. What you see on PhishingAI is the stuff that bubbles up to the top – the interesting things,” Richards said during our chat.
When the kits are discovered, Richards will alert the brands, who are really receptive to his efforts and work quickly to get them taken down. Often it is a matter of minutes from the time the PhishingAI account posts an alert, to the point when Google’s anti-Phishing measures start issuing warnings to users.
Oddly, it is the carelessness of the criminals behind the campaigns that helps researchers like Richards discover new kits and expose their methods. Many of the basic phishing campaigns targeting brands like Apple, Microsoft, Google, Pay Pal, or even governments, exist on servers with little to no effort made to obfuscate their intent or their methodologies.
It’s common to see a landing page in a given phishing attack expose the exact kit used to create it. Logs detailing the criminal’s actions, and identifying victims are also exposed. This helps researchers like Richards better inform brands and ISPs to problems, but no two criminals are alike, and the process isn’t always that simple.
This is why administrators have to work to secure their hosting environments and detect phishing kits as soon as possible, which is why Salted Hash released Kit Hunter this week. Moreover, registrars can do more to monitor domains when they are purchased in bulk and registered using terms that are clear examples of fraud.
The jokes on you Dr. JOker:
Sean Gallagher, the IT and national security editor at Ars Technica, published a report this week examining the birth of a phishing campaign targeting Apple users. Using a tool called Streaming Phish, which identifies phishing domains using certificate logs, Gallagher spotted a new domain being prepared for an Apple campaign.
The kit discovered by Gallagher is similar to one we discussed earlier this year on Salted Hash. You might recall, we recorded the phishing kit’s look and actions form both the administrator’s and victim’s perspective, demonstrating that aside from a few cosmetic variations – it was a near perfect clone of Apple’s website.
Salted Hash is at DEF CON this weekend, so feel free to say hello when you see me out walking around. Keep an eye on this space too for any updates as the show progresses.
Related Video: