The recent unravelling of a phishing email campaign shows that even less skill and effort is required today to exploit thousands of users via canned code traded on Facebook and other internet forums.
Researcher Emanuele Gentili of Tiger Security has been tracking a phishing campaign targeting Apple users [PDF], capturing some of the deceptive messages through two honeypots.
Setting the campaign in motion was easy enough for the attacker: Gentili said a pre-packaged phishing kit, named Besmellah (Arabic for "in the name of god") and a mailing list was all that was needed.
He said the phishing expedition followed the standard modus operandi of such campaigns, purporting to come from a legit email address - email@example.com.
A non-specific technical issue is used to lure recipients of the fraudulent email to a bogus website that looks genuine at first glance, via an obfuscated web address in the messages.
Once on the fake support site, which was hosted on a hacked installation of Wordpress and which ran the Besmellah kit, Gentili said the phishing victims were asked to enter their credentials.
From there, the attacker was able to successfully capture banking and credit card details from victims. After "logging on" to the bogus site with their Apple ID credentials, victims were asked for large amounts of personal and financial information on a secondary form.
This included their names, addresses, phone numbers, driving licenses, credit card with associated CVV verification numbers and more.
As the Internet Protocol (IP) addresses of the victims were also captured, the attacker was able to use geolocation services to automatically glean where the people were located.
All the information captured was then emailed to the attacker via the installed phishing kit that Gentili was able to download from the hacked site for examination.
Gentili didn't provide the exact number of people who fell victim for the phishing expedition, but noted the attacker was able to send out a large amount of messages.
Overall, very little effort or expertise was required to set in motion a large campaign that targetted thousands of victims.
The Besmellah kit is made more effective through the use of an IP adddress blacklist that blocks popular search engines that try to trace and track phishing threats, Gentili's research showed.
"The Besmellah kit seems fresh and it's coded really well," Gentili said.
Unmasking today's script kiddie
The attacker behind the Besmellah phishing campaign turned out to be a young Tunisian male, Gentili said.
Gentili did not reveal the hacker's identity, but iTnews was able to trace the person thanks to his extensive online presence.
The phisher's Facebook page boasted of website defacements, and his YouTube channel offers several how-to hacking videos.
He is also a member of several closed Facebook spamming and credit card trading groups, and makes little effort to hide his identity.
Learning the tools of his illicit trade wasn't hard for the hacker, Gentili said.
"They are posted and traded in online underground forums, black market websites and sometimes in Facebook groups too," Gentili said.
"There are lots of phishing kits around, with the best and most effective ones being sold on the black market forums, or shared among criminal groups that work together."
Besmellah is one of the better kits, according to Gentil, thanks to its built-in anti-detection mechanisms.
Referring to the recent iCloud security breach where celebrities had their accounts hacked and intimate pictures of themselves stolen and posted on the internet, Gentili said media had been quick to blame security issues with Apple's cloud-based storage service.
But pre-packaged phishing kits and an increasing number of so-called script kiddies willing to use them meant such criticism of Apple wasn't fair, Gentili said. The kits' ready availability and ease of use meant Apple and its customers are increasingly becoming the targets of specific attacks.
"These threats are on the rise, and pose a significant risk to individuals and companies alike," Gentili said.