A four-month investigation into the inner workings of the phishing scourge that drives identity theft attacks has uncovered an underground ecosystem of compromised Web servers, do-it-yourself phishing kits, brazen credit card thieves and lazy code copycats.

At the Black Hat DC Briefings here, security researchers Billy Rios and Nitesh Dhanjani shared the findings of their investigation into the phishing epidemic and warned that the whack-a-mole approach to disabling fake banking sites is a huge waste of time. "I was floored by what’s out there," Rios said. "They call them "fullz" on the phishing sites … full names, credit card numbers, ATM numbers with PIN codes, social security numbers, addresses, phone numbers, all publicly available. It’s staggering." Black Hat Lifts the Cover Off ID Theft Phishing Networks