Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them

Dmitri Alperovitch CipherTrust Inc.

Previous works have focused on analysis and reverse-engineering of malware payloads, such as worms, keyloggers, destructive viruses and spyware. Phishing trojan creation toolkits represent the latest advancements of some of the most resourceful and profitable online criminal enterprises. These highly sophisticated and customizable trojans are hugely popular in the underground carding community and are a key part of numerous online identity and financial theft crimes. They are produced by teams of international software developers and selling for substantial amounts of money.

In this paper we present an analysis and reverse-engineering results of five of the most popular and sophisticated trojan toolkits. We show that these are substantial software engineering products that include a vast array of features, advanced detection evasion capabilities and effective targeted countermeasures to anti-fraud technologies that are in place at most of the major banks and other financial institutions.

The paper demonstrates that phishing trojan development is nowadays a highly profitable business with the software being actively distributed and marketed through a well-developed underground business channel and reseller network that provide both the cloak of anonymity as well as relative safety and plausible deniability for the malware developers. This represents a new change on the malware scene - the creation of a services industry dedicated to the creation of high-quality malware with a well organized and developed distribution channel.

Lastly, we discuss how these toolkit trends and changes in criminal collaborations affect current defence approaches and suggest alternative models to advancing the community's defences.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

Jobs Recruit Sidebar

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,313 registered users.