Point-and-Click Phishing

by Brian McWilliams, author of Spam Kings

A teenage hacker discovers his software is helping automate online identity theft

Ben Kittridge admits that spamming violates traditional hacker ethics. But with computer programming jobs scarce, the eighteen-year-old Florida software whiz has joined the spam trade. This year, Kittridge made several thousand dollars selling Fahrenheit, a spamware program he wrote from scratch, to dozens of mysterious customers.

But now, Kittridge finds himself an unwitting accomplice in a recent email scam that attempted to separate customers of US Bancorp from their account information.

Earlier this month, a collection of computer files apparently used in the scam surfaced on the Internet. Included was a Fahrenheit configuration file [view] as well as source code to the program. The files are the electronic tools of the trade used by unidentified "phishers"--online scam artists who send out phony emails forged to look as though sent by banks or other online financial institutions. Astonishingly, as many as one out of twenty recipients fall for phishing attacks and divulge their financial account information to the scammers, according to a June report from the Anti-Phishing Working Group (APWG), an industry consortium.

The phishers instructed Fahrenheit to send an email, which contained the US Bank logo, to a list of approximately 20 million addresses. The fraudulent message attempted to trick recipients into visiting, a site set up by the unknown attackers to gather victims' data. (The site, which appears to be registered to someone in Venezuela, is no longer available.)

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

The configuration file specified that the scam be sent through a set of "proxy" computers to hide the identity of the phishers. An accompanying list of the proxies included hundreds of apparently virus-infected or hacked home personal computers connected to cable modems or DSL lines. The scammers also configured Fahrenheit to use a rotating set of From and Subject lines and to avoid sending the "phish" to any addresses containing the words admin, FBI, or abuse.

Kittridge denies any prior knowledge of the scam and says he is willing to cooperate with authorities investigating the incident. U.S. Bank officials had no immediate comment on the attack, which appears to have occurred in early June 2004. (One recipient of the phishers' message re-posted it in an anti-spam newsgroup.)

The collection of files, a copy of which was provided by an anonymous source, indicate the ease with which phishers are able to perpetrate the attacks that cost U.S. banks an estimated $1.2 billion last year.

Armed with powerful programs such as Fahrenheit and a list of proxies, phishers can simply point and click to steal victims' financial information. What's more, the technology enables fraudsters to launch their scams with little fear of being caught. In recent years, there have been few phishing-related prosecutions, while hundreds of attacks are recorded every week by the APWG and by FraudWatch International, an Australian consulting firm that maintains an archive of phishing alerts.

The incident also highlights the disturbing new alliances between talented programmers, spammers, con artists, and other criminals. (This nexus is examined in more detail in chapter ten of Spam Kings, the author's book about the junk email business, which hits stores later this month.)

Kittridge, who uses the online nickname Bysin, earned a reputation as a "black hat" hacker after bursting onto the scene in 2001. Just 15 at the time, he gained notoriety for releasing knight.c, a program designed to perform distributed denial-of-service (DDoS) attacks. The tool was cited in a July 2001 federal advisory to home PC users, and the FBI raided Kittridge's home and took six computers away as evidence. (He says the agency notified him last month that it was dropping the case and would return the equipment.)

In 2003, Kittridge released two "proof of concept" programs that attempted to exploit security flaws in the widely used Sendmail mail-transfer agent. In early 2004, when parts of Microsoft's Windows NT and Windows 2000 source code were circulating in the computer underground, Kittridge posted copies on one of his web sites.

Kittridge said he created Fahrenheit, which runs on Unix-based computers, in early 2003. At the time, he was working as a system administrator for Evoclix, a Florida junk-email company listed on the Spamhaus Register of Known Spam Operations.

"Hackers are having a real hard time finding work in the U.S.," says Kittridge in explaining his decision to work for spammers. "Spamming is our last resort to pay rent," he says.

Kittridge's impetus to write Fahrenheit was seeing spamware selling for thousands of dollars. He decided to market his program, which he originally dubbed Midnight Mailer, for around four hundred dollars. As its program interface, the re-named Fahrenheit [screen shot] uses a web browser. The software supports an unlimited number of "threads," making it able to rapidly crunch through huge mailing lists.

Fahrenheit is also designed to route messages through remote proxy computers. (The use of proxies to send spam is specifically outlawed under the 2003 U.S. CAN-SPAM Act.) The program also includes high-end features, such as automatically generated graphs depicting real-time sending statistics.

But under the hood is where Fahrenheit really shines. "This code is just beautiful," said one programmer who reviewed the C-language source code to Fahrenheit but asked not to be identified.

Kittridge says he overlooked one key feature in Fahrenheit: copy protection. That fact, combined with his three-day, money-back guarantee, has resulted in lots of unauthorized copying and lost revenue, he says.

Most of his Fahrenheit sales occur, according to Kittridge, in #Spam, an Internet relay chat (IRC) channel frequented by junk emailers--and, increasingly, by the hackers who serve them.

"People on IRC are selling exploits and self-infecting bots to make DDoS nets. Then they are turning their DDoS nets into proxy nets and selling proxies to spammers (and even spamming themselves) for a pretty penny," he says.

Kittridge claims he has never written a virus or a computer worm. But while he's remorseful about his program being used to launch phishing attacks, Kittridge says he and other hackers will continue to consort with spammers.

"Because of outsourcing [of software and system administration jobs], it's one of the only ways a hacker can make money," says Kittridge.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network