Washington, DC.  While there may well be some very smart people that are profiting from phishing, a pair of security researchers at Black Hat have argued that most aren't all that bright.

In a presentation titled, "Bad Sushi Beating Phishers at Their Own Game" researchers Nitesh Dhanjani and Billy Rios demonstrated (sometimes with hilarious detail) how many phishing attempts are basic and not the work of sophisticated ninja hackers.

 The researchers' argued that many phishers use readily available phishing kits. Dhanjani noted that though there are many different phishing kits that he could find online for the most part they're all quite similar since a lot of the functionality is stolen from each other (so one kit steals from another and vice versa).

To add further insult, Dhanjani argued that many of the kits are using basic PHP scripts that aren't exactly rocket science either. 

In Dhanjani's view what the code reuse in phishing kits means is that 1) Phishers are lazy 2) The phisher didn't know how to create the kit themselves and 3) They just want to get up and running ASAP.

Even better Rios explained that he found further evidence of phishers ripping off other phishers. Rios told the capacity audience that he was able to find a blacklist for blacklisters.  That is a list of phishers that other phishers didn't want to do business with because they had been wronged in some way. Rios commented that one list he found had 3500 people on it.

Talk about honor among thieves. Apparently there isn't any when it comes to phishers.

"Phishers are not always one step ahead of us the reality is that they rely on infrastructure that is already in place to help them to do what they need to do," Rios said. "It's good that these people are not as technically savvy as ninja hackers but it's bad because basically anyone can do this."