It’s a sad day when attackers turn on each other, cannibalizing one another for cheap thrills and easy profits. But that’s the situation now, as phishers have begun going after the weakest among their kind: the lazy, unmotivated wannabe phisher with no skills.
Researchers at GFI Labs have stumbled upon a new tool that’s designed to automatically locate the sites where phishers store the login credentials that they’ve pilfered, and then steal them. Known as an auto-whaler, this kind of tool isn’t new in and of itself, but the one that GFI discovered–666 auto-whaler–has some extra special functionality: it’s Trojaned.
So for the couch-bound would-be phisher who is trying to find the easy path to infamy and fortune, what he gets instead is a Trojaned tool that is designed to steal passwords. Attackers going after one another is not a remotely new phenomenon; it’s been going on for years with DDoS attacks flying back and forth between rival crews and hackers stealing one another’s tools.
But phishers, being fairly low on the hierarchy of the criminal underground, apparently are just getting around to the point of going after each other. In this case, the 666 auto-whaler drops a file in the victim’s temp folder called CryptedFile.exe, which turns out to be a password-stealing Trojan called Fignotok.
“Step up to the plate, Trojan-PWS.Win32.Fignotok.A (v) – a known password
stealer that generally likes to dabble in everything from gaming
account logins to Instant Messaging and more besides,” GFI’s Christopher Boyd wrote in an analysis of the attack. “Now, there may well be a legitimate version of this [666 auto-whaler] tool floating around out there. However, this thing that I have before me? I believe the phrase I’m looking for is ‘Lol, nope’.
“Password stealer creators targeting Whalers going after Phishers may sound
like a humorously confusing mess of bad people hitting each other in
the face with bricks – and don’t think I haven’t thought about it – but
the gag quickly evaporates once Little Jimmy loses five sets of credit
card details to the void.”