Would-be cyber-crooks don't have to be very clever or resourceful to launch phishing attacks against unwary e-mail users – they can easily download the tools from the Internet. For free.
PandaLabs, has discovered several free phishing kits on the Internet which allow cyber-crooks to send out fraudulent e-mails.
These tools allow cyber-crooks to spoof bank pages and e-mails, online pay platforms, Gmail and Yahoo!Mail mail accounts, online games (Xbox password theft) and blogs (Fotolog access credentials).
“The really crazy thing is that these kits are free,” says Jeremy Matthews, head of Panda Security’s sub-Saharan operations. “And, due to the simplicity of the tools, the number of phishing attacks is drastically increasing, causing companies and consumers large losses.
"According to a study conducted by Gartner, phishing attacks caused US consumers losses for $3,2-billion in 2007."
These kits operate as follows: upon accessing a URL that contains the kits, users obtain the files to create a fraudulent mail; one file allows them to spoof mails from banks and pay platforms while the other allows them to create a fraudulent page that resembles the original. Additionally, the kit includes a PHP program, which is also free, to send e-mails from the spoofed page. Cyber-crooks can also choose the way in which to receive the stolen data; TXT files stored on a server, a message in their mailbox, etc.
The rest of the process is similar to other phishing scenarios: the false e-mail is sent to several mail addresses, with a link to a malicious page in which users are requested to enter the personal details cyber-crooks want – such as e-mail addresses and bank passwords.
“To obtain email addresses to spam, cyber-crooks buy lists of addresses on the Internet, although some are free,” says Matthews. “If we throw free hosting services into the mix, the result is cyber-crooks launching phishing attacks at no cost whatsoever.
“Sadly, people are still falling fall phishing attacks It vital that people people be wary of e-mails from unknown senders requesting information,” Matthews adds.