How do phishers choose their targets? Usually, it is relatively random. Occasionally, phishers will be able to hack into some online web application or ecommerce site and create a dump of the database along with victim email addresses and locations, but that’s not a common scenario. Most of the time, they use tools to extract email addresses from the web.
There are various kinds of tools that phishers use to facilitate building an email list. Recently, PhishLabs discovered a Spanish language tool called the “EVIL Code” email extractor.
It is a straightforward HTML page with a PHP backend. It allows the user to specify keywords to search for, select one of several search engines, and also select the country (actually language) which will be specified as part of the search engine query. To get around the potential lack of system access to run wget or another utility to fetch the web search results, the PHP programs open a socket directly to the search engine web server. However, the PHP program does require write access to the local directory to save the results.
Just in case you don’t have access to a website to host your PHP email extractor, there are commercial software programs that run on Windows to do that job. On one phishing kit site, in addition to free kits you’ll find a version of the Tarantula email extraction software for Windows. Normally, this is commercial software that requires a license, but Dr. Jad or Jihad-One was also kind enough to provide a crack that removes the licensing requirement.
Like the PHP extractor, this software allows you to select search engines to use and query terms, but it lacks country/language support. However, it has some nice status indicators that show you a total number of results returned, URLs spidered, elapsed time, etc.
In our tests of these tools, both performed similarly. On average they return about one email address per page spider and roughly 100 email addresses per minute.
We’ll be sharing these tools with our friends at the major search engines so that they might limit the ability of phishers to harvest email addresses. Obviously, the best advice we can give is not to publish your email address anywhere where it could eventually end up being indexed in a search engine. You can visit our T2 Employee Defense Training page for more information on spear phishing protection.