Phishing By Numbers

By Ericka Chickowski Print this article Print

Baseline goes under the hood of an area of security that most IT and business managers know little about. Learn what it takes to combat rock phishing.

In a traditional phish attack the criminals look to purchase a domain very similar to the target organization’s domain in order to better fool the user. For example, if it is ABC Bank the hacker might try to buy up sites such as ABCc.com or ABC1.com and launch a fraudulent look-alike site from that domain. But once that site is discovered it will have a short shelf life once the authorities pull the plug on the domain.

With a rock phishing kit, the crooks can take a generic site from a less-regulated top level domain and then create thousands of phony subdomains to launch attacks at multiple phish targets and against different users. So from a domain like 123.hk, the rock phish kit can create sites such as 123.hk/abc, 123.hk/ABCBank, and so on. It not only gives phishers the ability to create many phony sites based on a single domain name in order to send unique links to small subsections of users, but to also launch attacks on multiple phishing targets from the same domain. So from a single site a rock phisher could have fake sites replicating dozens of bank, retail and online auction site log-in pages.

“This means they can target a wider audience,” said Guillaume Lovet, manager of the Threat Response Team at the security firm Fortinet. “Because phishing is like a shot in the dark—you’re hoping the recipient banks at that precise bank, otherwise its not going to work. If you bank at Wells Fargo you aren’t going to try log in at Wachovia bank. So the more banks (they replicate) the wider the audience they can potentially target.”

And because the root domains are often registered with TLDs located in countries with few laws against phishing, many authorities have a harder time getting the registrar to shut them down in a timely fashion, Shraim says.

In addition, the phish kits are designed to harness the power of botnets and fast flux networks. The compromised systems within the botnet are used as a layer of proxy servers that connect the phishing victim to the fraudulent subdomain.  This so-called fast-flux network quickly switches the proxy IP address associated with each subdomain based on whatever interval the criminal determines, typically anywhere between a couple of minutes and a few hours. This way, the site is being bounced from one system to another so fast that by the time a security company asked an ISP to shut down the offending address it is no longer the one responsible for the attack.

All of this is designed to give the crooks more time to cast their nets for user credentials and personal information before they are detected, Shraim says.

“Rock phish is basically extending the livelihood of a phish attack on the internet,” he said.

According to the study done at Cambridge, a criminal typically gets about quadruple the amount of time to perpetrate a rock phish attack using fast flux networks than an attack using traditional phish infrastructure.

Rock phishing also gives the crooks a better economy of scale through automation and makes it more accessible to those without the coding chops to execute other kinds of online scams.

“The biggest thing about rock phishing is that it has made it more mass reproducible,” Cowings said, explaining that automated rock phishing kits are meant to be used even by non-technical users. “When you look at it, it is the same thing that followed suit with the development of spam. First it was sent out manually, then they started compromising machines to send from, then they started selling spamming kits to individuals to make money faster. Then there were mass mailing worms, then mass mailing worm kits. In this case there was phishing and now there are phishing kits.”

The greater ease of use offered by rock phish and similar kits has afforded the criminals the opportunity to expand their base of targets. According to a <a href=” http://www.antiphishing.org/reports/apwg_report_nov_2007.pdf “>recent Anti Phishing Working Group</a>, the number of brands targeted by phishing attacks increased by 48 percent between November 2006 and November 2007. While financial organizations still remain the most popular type of targets, rock phishers are also preying on more retail organizations, data brokers and even job sites.

 “That mass explosion to multiple verticals that tells you the scheme is quite effective from their perspective,” Shraim said with an additional warning that “any entity, any brand that has a reputation on the internet and does online transaction on the web and the ability to purchase or to sell or controls critical data that pertains to user identity should be concerned about the phenomenon of rock phish attacks. Remember this is theft on the internet. Theft is theft, it is not going to discriminate between dollars, euros, cameras or data—they’ll take whatever they can trade and manipulate and steal.”

This expansion into other sectors is what is driving experts such as Shraim, Cowings and Lovet to warn all enterprises to be wary of the additional threat posed by rock phishing. Integral in that is finding a vendor that is willing to work thoroughly to mitigate the risks posed by rock phishing to an organization.

“There are so many pieces that we need to go after in order for us to have a successful protection package,” Shraim said. “what you have to do is attack multiple front to win the battle—have to go to the registrar to disable the domain name, you have to go to the ISP to disable the scam by which the attack is residing on within that hacked server you also have to go after a proxy server, and who controls the command and control.”

In addition, organizations that find themselves the target of a phish rash may also have to worry about protecting themselves from withering distributed denial of service (DDOS) attacks.

“Sometimes in the course of rock phish attacks, they can launch a DDOS attack which is directly associated with the rock phish attack,” Shraim said, explaining that the attackers like to set the phishing messages to reply to the phished organization’s addresses in the event of bounced messages. “The entity being rock phished is getting millions of emails every fraction of a second and mail gateways are flooded with bounced emails, so the entity will be very busy trying to diffuse the DDOS attack against their mail servers while the rock phish campaign is happening.”

Beyond searching for the right anti-phishing vendor, there are other steps an organization can take to mitigate the risk of becoming a rock phish target. MarkMonitor, for one, suggests organizations build their back end systems to make it harder for phishers to take advantage of stolen credentials. Better monitoring and anti-fraud engines built into the infrastructure can make it more difficult for phishers to perpetrate the fraud. In conjunction with this, Shraim’s security team also suggests utilizing e-mail authentication technology such as SenderID or Domain Keys Identified Mail (DKIM) on e-mail systems to make it harder for phishers to send spoofed e-mail to users.

Finally, all the experts agree that user education still remains important in fighting rock phishing. Teaching users to identify rock phishing address patterns should be part of a phish fighting program. From there, security pros also suggest taking advantage of an enlightened user base to help finger the bad guys. This can be done by making it easier for consumers to report potential phish attempts through a visible link on the organization’s site and a well publicized e-mail address specifically for reporting.

Taking the proper countermeasures against rock phishing will not only help users, but could also be the key to protecting an organization’s brand.

“The biggest reason why phishing has an impact on enterprises is not necessarily based on the amount the company loses due to fraud but due to consumer confidence,” Cowings said. “If consumers are scared to use online services (organizations) actually lose money in the long run. Where we need to move to is to get people to feel confident that they can use online services safely.”

This article was originally published on 2008-02-19
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.