Point-and-Click Phishing

Listen Print Discuss

by Brian McWilliams, author of Spam Kings
10/13/2004

A teenage hacker discovers his software is helping automate online identity theft

Ben Kittridge admits that spamming violates traditional hacker ethics. But with computer programming jobs scarce, the eighteen-year-old Florida software whiz has joined the spam trade. This year, Kittridge made several thousand dollars selling Fahrenheit, a spamware program he wrote from scratch, to dozens of mysterious customers.

But now, Kittridge finds himself an unwitting accomplice in a recent email scam that attempted to separate customers of US Bancorp from their account information.

Earlier this month, a collection of computer files apparently used in the scam surfaced on the Internet. Included was a Fahrenheit configuration file [view] as well as source code to the program. The files are the electronic tools of the trade used by unidentified "phishers"--online scam artists who send out phony emails forged to look as though sent by banks or other online financial institutions. Astonishingly, as many as one out of twenty recipients fall for phishing attacks and divulge their financial account information to the scammers, according to a June report from the Anti-Phishing Working Group (APWG), an industry consortium.

The phishers instructed Fahrenheit to send an email, which contained the US Bank logo, to a list of approximately 20 million addresses. The fraudulent message attempted to trick recipients into visiting secure-usbank.com, a site set up by the unknown attackers to gather victims' data. (The site, which appears to be registered to someone in Venezuela, is no longer available.)

Related Reading

Spam Kings
The Real Story behind the High-Rolling Hucksters Pushing Porn, Pills, and %*@)# Enlargements
By Brian McWilliams

Table of Contents
Sample Chapter

Read Online--Safari Search this book on Safari:

The configuration file specified that the scam be sent through a set of "proxy" computers to hide the identity of the phishers. An accompanying list of the proxies included hundreds of apparently virus-infected or hacked home personal computers connected to cable modems or DSL lines. The scammers also configured Fahrenheit to use a rotating set of From and Subject lines and to avoid sending the "phish" to any addresses containing the words admin, FBI, or abuse.

Kittridge denies any prior knowledge of the scam and says he is willing to cooperate with authorities investigating the incident. U.S. Bank officials had no immediate comment on the attack, which appears to have occurred in early June 2004. (One recipient of the phishers' message re-posted it in an anti-spam newsgroup.)

The collection of files, a copy of which was provided by an anonymous source, indicate the ease with which phishers are able to perpetrate the attacks that cost U.S. banks an estimated $1.2 billion last year.

Armed with powerful programs such as Fahrenheit and a list of proxies, phishers can simply point and click to steal victims' financial information. What's more, the technology enables fraudsters to launch their scams with little fear of being caught. In recent years, there have been few phishing-related prosecutions, while hundreds of attacks are recorded every week by the APWG and by FraudWatch International, an Australian consulting firm that maintains an archive of phishing alerts.

The incident also highlights the disturbing new alliances between talented programmers, spammers, con artists, and other criminals. (This nexus is examined in more detail in chapter ten of Spam Kings, the author's book about the junk email business, which hits stores later this month.)

Kittridge, who uses the online nickname Bysin, earned a reputation as a "black hat" hacker after bursting onto the scene in 2001. Just 15 at the time, he gained notoriety for releasing knight.c, a program designed to perform distributed denial-of-service (DDoS) attacks. The tool was cited in a July 2001 federal advisory to home PC users, and the FBI raided Kittridge's home and took six computers away as evidence. (He says the agency notified him last month that it was dropping the case and would return the equipment.)

In 2003, Kittridge released two "proof of concept" programs that attempted to exploit security flaws in the widely used Sendmail mail-transfer agent. In early 2004, when parts of Microsoft's Windows NT and Windows 2000 source code were circulating in the computer underground, Kittridge posted copies on one of his web sites.

Kittridge said he created Fahrenheit, which runs on Unix-based computers, in early 2003. At the time, he was working as a system administrator for Evoclix, a Florida junk-email company listed on the Spamhaus Register of Known Spam Operations.

"Hackers are having a real hard time finding work in the U.S.," says Kittridge in explaining his decision to work for spammers. "Spamming is our last resort to pay rent," he says.

Kittridge's impetus to write Fahrenheit was seeing spamware selling for thousands of dollars. He decided to market his program, which he originally dubbed Midnight Mailer, for around four hundred dollars. As its program interface, the re-named Fahrenheit [screen shot] uses a web browser. The software supports an unlimited number of "threads," making it able to rapidly crunch through huge mailing lists.

Fahrenheit is also designed to route messages through remote proxy computers. (The use of proxies to send spam is specifically outlawed under the 2003 U.S. CAN-SPAM Act.) The program also includes high-end features, such as automatically generated graphs depicting real-time sending statistics.

But under the hood is where Fahrenheit really shines. "This code is just beautiful," said one programmer who reviewed the C-language source code to Fahrenheit but asked not to be identified.

Kittridge says he overlooked one key feature in Fahrenheit: copy protection. That fact, combined with his three-day, money-back guarantee, has resulted in lots of unauthorized copying and lost revenue, he says.

Most of his Fahrenheit sales occur, according to Kittridge, in #Spam, an Internet relay chat (IRC) channel frequented by junk emailers--and, increasingly, by the hackers who serve them.

"People on IRC are selling exploits and self-infecting bots to make DDoS nets. Then they are turning their DDoS nets into proxy nets and selling proxies to spammers (and even spamming themselves) for a pretty penny," he says.

Kittridge claims he has never written a virus or a computer worm. But while he's remorseful about his program being used to launch phishing attacks, Kittridge says he and other hackers will continue to consort with spammers.

"Because of outsourcing [of software and system administration jobs], it's one of the only ways a hacker can make money," says Kittridge.

Brian McWilliams is the author of Spam Kings and is an investigative journalist who has covered business and technology for web magazines including Wired News and Salon, as well as the Washington Post and PC World, Computerworld, and Inc. magazines.

Return to the O'Reilly Network

Comment on this article.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 23 of 23.

An injection of reality
2005-03-09 13:03:59 greg@wavelengthtech.ca [Reply | View]
I am reminded of how much the process of software development and the IT industry itself is misunderstood every time I read an article like this. I think people must just like the stereotype of the renegade, misunderstood, teenage genius, who with just a few keystrokes can hack into the CIA’s computer system. Wake up people! This is a false stereotype perpetrated by authors like Brian McWilliams.

For an accurate portrayal of hackers check out the following link on the RCMP’s website ( http://www.rcmp-grc.gc.ca/crimint/hackers_e.htm#thehacker )

To become a qualified software developer an individual needs to gain an education in computer science. Generally a bachelor’s degree at a university or at the very least graduate from a 2-3 year college program. A six month program in “web development” or “A+ network support” does not qualify someone as a programmer. They then need to gain several years experience in the industry as a junior programmer. Being able to hobble together a script that can send spam emails from samples on the web does not make someone a programmer or even provide an indication they understand how the code works. Being able to change Windows settings is a long way from being able to write or understand a complex enterprise applications.

As for his complaints that he could not get hired, I found his comments nave. Would you hire a 17 year old non accredited lawyer, or a 17 year old to design the structure of your next building project? So why hire a 17 year old with no experience or training to maintain or enhance critical company IT resources.

I found a number of statements about this teenage hackers work suspect.
- It is stated in the article the application he claims to have created in the C programming language can create an unlimited number of threads. The C programming language is a low level language and does not directly support the creation of threads.
- Even if he had used a language that does support threading, say Java, the statement that an unlimited number of threads could be created to speed up sending spam would be the description of a fatal bug, not a feature. There is always a limit to the number of threads that can be created within a program. Exceeding this limit will slow performance and eventually crash a machine.
- The C programming language would not be a wise or workable choice to write an application that needs to run on a variety of Unix computers. Unix computers can have a variety of different processor architectures. The hacker would need a test system for each possible architecture. A processor independent language like Perl that already has the capability to send email built in (with one of the may available modules that do this) would be a much more workable choice.
- The application supposedly was configured from the users web browser. While this is possible, it is peculiar as it would mean the application would have to include it’s own web server and web application just to change a configuration file. Ask the people at Apache.org if a 17 year old can create a CGI capable web server on his own. Almost all Unix programs have text configuration files the user directly edits.

Karma
2004-10-15 04:55:09 paulwaite [Reply | View]

As long as he's happy to annoy and harm thousands of people to make money, I'm sure he won't mind if I kick his computer down a flight of stairs next time I see him.

If you only think of yourself, don't be surprised if others don't think of you.

About moronic, braindead people
2004-10-14 11:05:28 Soronthar [Reply | View]

Impressive that so many people here are so braindead.

The point is NOT that his "product" is being ripped off, or if he consort with spammers.

Have you ever tried to find a REAL job where your technical skill really matter? At age of 17?

Or see it this way: You can work at McDonalds for $5 an hour, or you can sell a LEGAL product (illegal on US by a technicallity, legal every other place. Heck, mailing through a proxy is legal if you own the proxy for god sake!) for some thousand $$$. Which way will you choose?

About moronic, braindead people
2004-10-14 13:21:53 dglo@go.com [Reply | View]

Hm. Can you, americans, think about something else than money? I think that you see everything through the glasses of "outsourcing" (=americans loosing money). Excuse him because he was forced to do it at his 17 because he just wanted to earn few thousand dollars... :-) There are people in africa that are forced to live with less then 1 dollar per day... and no excuse for them... And this poor guy just wanted to earn few thousands more no matter who gives the money... because he is so tallented/smart/resourceful - Can you hear what you say? Is this what americans consider to be 'excuse'? :-) Happy not being american.

About moronic, braindead people
2004-10-15 07:29:49 wrfink [Reply | View]

<rant>
Something that really pisses me off is people from other counties having the perception that American’s are obsessed with money. Screw you!

America is based on the foundation of free enterprise and that ANYONE can have the opportunity to succeed, or fail, on their own. We can practice our own religion and say it with the freedom of speech without retaliation from our government. We are also not unjustly taxed to support a wealth of freeloaders draining the system.

Also, the United States is the LARGEST supporter of impoverished countries and ALWAYS the first to lend a hand to countries in need.

So, the next time you feel like popping your cork about American being greedy and thinking only of money… FUCK OFF
</rant>

Lately, I have been growing tired of hearing people bad-mouth the USA for BS they know nothing about.

Regards,
WRFINK (Proud to be an American)

About moronic, braindead people
2004-10-27 12:45:11 networkgirlygirl [Reply | View]

So could not have say that better myself...

Most folks that live here dont know what it really means to be an AMERICAN!!!!

About moronic, braindead people
2004-10-20 23:30:54 Byron [Reply | View]

I'm not from some other country and I think that American's are, for the most part, obsessed with money. So Screw you! Or is that Screw Me!

There have been enough studies done that show people from other countries know more about what is really going on in America than Americans do. Americans just like to live our little fantasy. Maybe someday we'll wake up, hopefully before it is too late.

About moronic, braindead people
2004-10-17 03:44:24 dglo@go.com [Reply | View]

Sorry. My previous post was not fair. I just wanted to admit that I do not understand your country (culture/social experience).

:-) Sorry I'm dump.

But we say "There is always small amount of truth in every rumour." And saying "America is based on the foundation of free enterprise." - it seems to me like there is a lot of money in that sentence - especialy in word 'enterprise'/'success'... It would better if you claim to base your country on "justice, freedom, solidarity, knowledge". But you have right to see the America exactly as you want - as well as I can see America exactly as I want...

Thanks for answer.

Can not blame the guy
2004-10-14 10:55:29 wrfink [Reply | View]

In the past 3, or so, years, I have seen my salary drop as a direct result of outsourcing. While I am still employeed by a good company, I do not think I could go out on my own.

If I was in an area of the country where software jobs were few and far, then I would result to developing code that would enable me to pay the rent. As much as I HATE spam and phishing, I can not blame the guy.

...looking forward, it seems comapnies are finding out that sending code over to India (or other off-shore locals) is not all it is cracked up to be :-) I am looking for a GREAT 2005 (unless Kerry wins the election).

Can not blame the guy
2004-10-14 23:41:45 eqk [Reply | View]

You can barely write a sentence, so I'm having difficulty accepting the idea that outsourcing is your primary concern.

This kid who wrote the spamming application is 17 years old and he's worried about outsourcing? He should probably be more worried about college.

I'm not knocking the fact that he wrote the app. If he had not then someone else would have. I just think it's funny that a 17 yr old is using outsourcing as an excuse for writing this app.

Can not blame the guy
2004-10-14 12:26:50 fuji8bit [Reply | View]

Yeah, don't blame him ... he may be using an excuse you will need someday to justify your own unethical behavior.

I've never heard anyone engaging in unethical/criminal/wrong behavior that didn't have a "great" excuse. It just proves they know it's wrong and they need to justify it.

The only people that buy that crap are people using the same excuse -- The RIAA as an excuse to steal MP3s, High software prices to excuse piracy, Corruption of the government to excuse cheating on taxes.

Just for once, I want to hear sombody say "I steal music" without the "because" that follows it.

Can not blame the guy
2005-02-01 17:57:32 l0gic [Reply | View]

I Steal Music.

Can not blame the guy
2004-10-15 03:23:27 bry [Reply | View]

"I've never heard anyone engaging in unethical/criminal/wrong behavior that didn't have a "great" excuse. It just proves they know it's wrong and they need to justify it."
right, it proves that you're wrong about doing something if you have an argument for why you did it.
Justify means to make just.

Actually I've heard lots of people who have bad excuses, by bad excuse I would mean an excuse that was logically faulty, for example, a burglar arguing that he burglarises to teach people to be more security conscience is making a bad argument because people only need to be more security conscience in matters of burglary because there are burglars out there.
You seem to mean Bad excuse is an excuse that you don't agree with.

I don't much care for what he did and I wouldn't do it but for some reason it doesn't register very high on my outrage meter.

That said I have been thinking about stealing music; I haven't ever done it before because it seems like more work than just going to a store and buying. My reason for doing it, if indeed I do, will of course be that I figure the RIAA has it coming, bastards that they are. I hope you'll forgive my bad excuse, I will argue that it makes my actions just, but if I get in trouble for it I certainly won't whine.

Then again I might not do it, aforementioned laziness to blame.

Can not blame the guy
2004-10-15 03:25:45 bry [Reply | View]

hmm, given the spelling/grammatical errors in my last post I shouldn't copy/paste and there should be a preview button.

That's my bad excuse.

Wow, what a piece of work
2004-10-14 10:18:56 revgeorge [Reply | View]

He sees creating spam programs as a "last resort to pay rent"? So legitimate employment doesn't count? Also, I love that he's upset that spammers ripped him off by copying his software, as if spammers are unethical when dealing with other people's email servers will be on the level when dealing with other people's copyrights.

Maybe he should have taken a look at the rules of spam before he wound up at his last resort.

Rule 1: Spammers lie.
Rule 2: If a spammer seems to be telling the truth, see Rule #1.

Pathetic
2004-10-14 03:48:44 simon_hibbs [Reply | View]

"Because of outsourcing..."
Up untill this point I thought he was just a bit selfish and uncaring for others, but no. Actualy he's an ignorant whinger too!
Yet more proof that people can be very clever and talented in some areas, and unbelievably brain dead in others.

Pathetic
2004-10-14 12:17:30 fuji8bit [Reply | View]

Hard for *hackers* to find jobs? I should hope so. I'm a *programmer*, and never had problems finding a job.

Maybe he should consider a career change with his ethics implant.

Moron.

Pathetic
2004-10-15 05:15:10 mhroge2 [Reply | View]

I also am a programmer. 19 years old (so I'm in roughly the same boat as him) I have a job as a legitimate computer programmer. Somebody tell this kid to stop being such a moron and go get one too, or does he not have "legitimate" skills?

Pathetic?
2004-10-14 08:20:38 ratchild4 [Reply | View]

Why do you say he is a Whinger? (I assume you meant Whiner). Because he is resourceful? Because he claims OUTSOURCING took away many of his other options to produce income?

Maybe he is a whiner, or maybe he speaks the truth. I know many firms who have laid off talented US citizens to send their jobs overseas. It is even a topic in the presidential race, so obviously it is a concern.

May be whining means informed?

Pathetic?
2004-10-14 08:57:42 tlhIngan [Reply | View]

Pathetic maybe, but I can't help but find delightful irony in the fact that his program is so widely pirated. It's pure justice, in my eyes.

(When dealing with scammers, expect to be scammed.)

Do I feel sorry for him? Not really (in fact, I'm happy he was swindled, even if it was by some of the bloodsuckers out there).

Pathetic?
2004-10-14 08:43:01 tombou [Reply | View]

nah...

whinger is a propah brit-tish term.

Pathetic?
2004-10-14 11:31:32 arthvr [Reply | View]

Isn't it originally Australian as in "wingeing Pom"?

Pathetic?
2004-10-15 04:53:35 paulwaite [Reply | View]

Still British, because Australia was originally a British prison colony.

(Well, I say "originally" - originally it was the unspoilt home to a native population. Us Brits kinda screwed that one up, and the Australians continue to do so.)

Point-and-Click Phishing

A teenage hacker discovers his software is helping automate online identity theft

Tagged Articles

spam

Sponsored Resources

Related to this Article