Cyber-criminals regularly steal from each other. This is the conclusion of
the recent UCSB paper “There is No Free Phish: An Analysis of ‘Free’ and
Live Phishing Kits” by Marco Cova, Professor Christopher Kruegel, and
Professor Giovanni Vigna.

Phishing is a form of identity-theft attack in which an attacker, or
phisher, attempts to elicit confidential information from unsuspecting
victims. Phishers often use phishing kits to set up their scams. Phishing
kits are packages containing the files necessary to duplicate a targeted
web site – for example, an on-line banking site – and the scripts that
steal the victim’s confidential information – for example, username and
password for the banking site. Phishing kits are generally available for
free in underground circles.

However, the authors found that nearly half of the phishing kits
identified on-line contain backdoors designed to steal from the miscreants
using them. In particular, these backdoors secretly hand over the data
collected from the kits to their developers. In other words, in an ironic
twist of fate, phishers phish phishers. In an attempt to conceal the true
nature of their code, backdoors are regularly obfuscated, using a number
of techniques, ranging from basic scrambling and social engineering to
more technically advanced and ingenious methods.

This newly published work, which was presented at the USENIX Workshop on
Offensive Technologies and has since been covered by a number of on-line
magazines and blogs (such as Information Week, SC Magazine, The Register,
and ZDNet ), sheds some light on the dynamics and methods of the phishing
community and gives evidence of the current transformation of underground
circles into for-profit organizations, ruled by economical principles, in
which more experienced practitioners resort to treachery against
newcomers.