Data has become the hacker’s currency. More data, more money. So the attack logic is simple: the more attacks, the more likely victim—so you automate. But an interesting variation has emerged. A few months ago, Imperva’s ADC research team witnessed a phishing campaign which employed such a business model. In this scheme, a master hacker wrote a phishing toolkit for other hackers to use. The “proxy” hackers downloaded the kit, chose a phishing site using a simple GUI dashboard and, just like that, the proxy hackers were good to go. The popularity of the kit soared, since, as opposed to traditional phishing setups where hackers are required to set up and allocate storage for the data collection, this kit offered to remove that back-office work from the “proxy” hacker. The master hacker had actually provided with his kit “cloud storage” for the fraudulently obtained credentials. The credentials, once retrieved, would go to the cloud storage and reside in a location allocated only for the single “proxy” hacker. Controls were set such that one proxy hacker could not access the allocation area of another proxy hacker. The proxy hackers could continue with their attacks without every worrying about being cheated out by a fellow hacker. But this kit had a twist: although access to the credentials storage was secured from the eyes of fellow proxy hackers, this was not the case with the master hacker. A backdoor on the storage system allowed the viewing of all these credentials by the master hacker who wrote the kit. In reality then, all the proxy hackers were each gathering the credentials for the master hacker! Now consider the scenario – assume each proxy hacker gains a dozen credentials. And a thousand hackers have downloaded the kit – that’s already over 10K worth of valuable data without the master hacker ever needing to dirty his hands with the actual target! In fact, the master hacker boasted some 200K downloads. This number may surely be exaggerated, but the point is clear - it is widely in use.