A new, easy-to-use phishing tool is making it possible for more people to get into the fraud business, observers say.
Phishing kits are developed and sold by fraudsters to help others set up phishing sites. The software applications typically contain all the elements needed to establish a phishing site but require some technical savvy and patience to use.
However, EMC Corp.’s RSA Security spotted a new version last month that can be easily downloaded from the Internet and configures itself when someone double-clicks on it; Marc Gaffan, the marketing director in RSA’s consumer solutions group, said the kit is “self-extracting,” as are many consumer software applications that are designed to install themselves on a computer. It can put up a phishing site in just two seconds, he said.
“The big difference is not in what it can do or how it does it … but in the level of simplicity in deploying phishing attacks,” Mr. Gaffan said in an interview Friday.
One of the most troubling things about the new tool is how fast it is spreading, he said. RSA spotted it in use six times in June, substantially faster than older kits have spread.
“Usually these techniques are not spread as fast,” Mr. Gaffan said. “Usually you find fraudsters evaluating technologies slowly. Most of the fraudsters have techniques that they’ve become accustomed to today.”
What this indicates, he said, is that the market for phishing tools is growing. “This is most likely new people that are trying, which means that the fraudster circle has been broadened,” he said.
With this increasing ease of use has come an increasing diversity in the bank brands phishers target, he said. RSA observed 191 companies being impersonated in June, up from 160 in May. The total had declined from March to May, but Mr. Gaffan said RSA’s most recent data shows that phishers are not giving up.
“Phishing is definitely still on the rise,” he said. “The fraud technology business is emerging like any other market or business. It’s a matter of maturing technology and a competitive landscape.”
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said RSA’s data “is rather ominous.”
Phishing “has gotten very commoditized,” she said, so it is not surprising to see that new tools are being built to give some fraudsters an edge.
“There’s really two types of criminals out there,” she said. “There’s the amateurs, and there’s the sophisticated organized crime rings.”
The new kit is meant for the amateurs, a growing market.
“There’s been a real increase, according to what I’ve heard from investigators, in amateurs,” she said. “If you have a criminal bent and you can get a phishing kit and make it work within 10 minutes, it would be a very attractive proposition.”
The new phishers are younger fraudsters who have Internet access and mischievous intent but lack the resources that a larger fraud ring has, Ms. Litan said. They are the ones who try to observe other people’s data at public WiFi hot spots but may not have the expertise to do any damage with the information they glean.
RSA’s observation may be a prelude to more complex phishing methods being made easier to use, Ms. Litan said. “The kits are probably based on old-fashioned phishing technology” that runs on a single site and does not use a network of computers to mask its presence, she said.
Newer phishing sites run on botnets, or networks of compromised computers. Whereas phishing sites used to send out 10,000 e-mails from a single source, modern versions often distribute the workload, making it harder to shut them down, she said.
Another recent trend is to build sites that can detect the type of browser and operating system a visitor uses and deploy a keystroke-logging virus specific to that visitor’s configuration, she said.
As phishing kits get more user-friendly, they will start to incorporate those features, she predicted. Though a self-extracting program may not be able to create a botnet in seconds, it can certainly tap into an existing one — possibly for a fee.
Criminals are “going to have subscription services — recurring revenue” — for renting out botnets to young phishers who lack the expertise to do it themselves, Ms. Litan warned.