Do-it-yourself phishing kits found on the internet, reveals Sophos

August 19, 2004 Sophos Press Release

Web users who visit bogus phishing sites may have their credit card details stolen.
Web users who visit bogus phishing sites may have their credit card details stolen.

Sophos experts have discovered that do-it-yourself phishing kits are being made available for download free of charge from the internet.

Anyone surfing the web can now get their hands on these kits, launch their own phishing attack and potentially defraud computer users of the contents of their bank accounts.

These DIY kits contain all the graphics, web code and text required to construct bogus websites designed to have the same look-and-feel as legitimate online banking sites. They also include spamming software which enables potential fraudsters to send out hundreds of thousands of phishing emails as bait for potential victims.

Sophos researchers believe that hundreds of thousands of phishing emails are sent across the internet every day, each designed to defraud money from innocent computer users, and the problem is growing. With phishing kits now becoming freely available over the net, Sophos predicts this worrying trend is set to continue.

"Until now, phishing attacks have been largely the work of organised criminal gangs, however, the emergence of these 'build your own phish' kits mean that any old Tom, Dick or Harry can now mimic bona fide banking websites and convince customers to disclose sensitive information such as passwords, PIN numbers and account details," said Graham Cluley, senior technology consultant. "There is plenty of profit to be made from phishing. By putting the necessary tools in the hands of amateurs, it's likely that the number of attacks will continue to rise."

Sophos is urging computer users to be wary of any emails asking them to reconfirm sensitive financial information and advises that anti-spam software at the email gateway can prevent these unsolicited email messages from even reaching inboxes.

"Recipients of suspicious emails claiming to come from online banks should just delete them and should certainly not click on the links contained within the messages," continued Cluley. "Web hosts and ISPs can also play their part in the fight against phishers by closing down websites if they find these kits posted on their servers."

Sophos recommends companies protect themselves with a consolidated solution which can defend businesses from the threats of both spam and viruses.