Phishing trojan creation toolkits: an analysis of the technical capabilities and the criminal organizations behind them
Dmitri Alperovitch CipherTrust Inc.
Previous works have focused on analysis and reverse-engineering of malware payloads,
such as worms, keyloggers, destructive viruses and spyware. Phishing trojan creation toolkits
represent the latest advancements of some of the most resourceful and profitable online
criminal enterprises. These highly sophisticated and customizable trojans are hugely
popular in the underground carding community and are a key part of numerous online
identity and financial theft crimes. They are produced by teams of international software
developers and selling for substantial amounts of money.
In this paper we present an analysis and reverse-engineering results of five of the most
popular and sophisticated trojan toolkits. We show that these are substantial software engineering
products that include a vast array of features, advanced detection evasion capabilities
and effective targeted countermeasures to anti-fraud technologies that are in place at
most of the major banks and other financial institutions.
The paper demonstrates that phishing trojan development is nowadays a highly
profitable business with the software being actively distributed and marketed through a
well-developed underground business channel and reseller network that provide both the cloak
of anonymity as well as relative safety and plausible deniability for the malware developers.
This represents a new change on the malware scene - the creation of a services industry dedicated
to the creation of high-quality malware with a well organized and developed distribution channel.
Lastly, we discuss how these toolkit trends and changes in criminal collaborations
affect current defence approaches and suggest alternative models to advancing the community's defences.
VB2010 will take place 29 September-1 October 2009 at the Westin Bayshore, Vancouver, BC, Canada.
Early bird discount available until 15th June 2010.