Inside Rock Phishing

 
 
By Ericka Chickowski  |  Posted 2008-02-19
 
 
 

Phishing is no longer a worry solely in the domain of eBay, PayPal and major financial banks. Thanks to a sophisticated attack dubbed rock phishing, the targets of phishing attacks have widened and the attacks have become more pervasive, longer lasting and harder to block.

Rock phishing gained its funny name back in 2005 when security researchers first noticed the phenomenon. They were seeing a large number of phishing sites crop up in a pattern-like manner, where a single malicious domain could act as seed for many unique phishing subdomains. One of the unifying factors of all these sites was that at the time most had subdirectories containing the word ‘rock’ within them.

As researchers looked into the increasing number of these types of phishing sites two things became evident.  First, this massive volume of sites was being generated by an automated kit. And second, the kit was the handiwork of a shadowy group of criminals they dubbed the “Rock Phish Gang.”

According to a study conducted by researchers from Cambridge University, more than 50 percent of more than 35,000 unique phishing attacks between February and April 2007 were rock phish attacks perpetrated by this gang.

But it isn’t just the Rock Phish Gang getting in on the rock phish act any more.

“Now it is many gangs and is basically a technique that is being duplicated across the Internet by online thieves that would like to steal from anyone who is available to be stolen form,” said Ihab Shraim, Chief Security Officer for MarkMonitor, an enterprise brand protection company.

The gang’s method has proliferated throughout the Internet—its brainchild worked so well that other criminals were attracted to replicate the code or make their own kits.  

 “A lot of other phishing kits are starting to just get referred to as rock phish, where it is almost synonymous with phishing kits—sort of like Kleenex with tissue,” said David Cowings, senior manager of operations for Symantec Security Response. “It started out with one individual group (using them) but now it has turned into open source code which everyone uses for their own means.”

Since its first discovery, rock phishing’s productive sites no longer use the telltale “rock” within their addresses—they became too easily detectable by security filters set to look for the word. However, the moniker remains—even if it is sometimes confusing since it refers to the gang that invented it, the method itself and to the kits that perpetrate it.

Like traditional phishing attacks, a rock phish attempt is geared toward gaining a vital piece of information from the user to hijack an account or steal an identity. But even though the name of the game is very similar, these attacks are very different behind the curtains.

“This is not your standard phish attack where you spoof the headers of the email and you try to lure the user to click on a URL,” Shraim said. “It uses multiple tactics: botnets, fast flux networks, proxies, traffic load balancers and redirectors, as well as DNS record manipulation. The combination is used in one attack. This is more sophisticated, more targeted and quite relentless (compared to a standard phish).”

In a traditional phish attack the criminals look to purchase a domain very similar to the target organization’s domain in order to better fool the user. For example, if it is ABC Bank the hacker might try to buy up sites such as ABCc.com or ABC1.com and launch a fraudulent look-alike site from that domain. But once that site is discovered it will have a short shelf life once the authorities pull the plug on the domain.

With a rock phishing kit, the crooks can take a generic site from a less-regulated top level domain and then create thousands of phony subdomains to launch attacks at multiple phish targets and against different users. So from a domain like 123.hk, the rock phish kit can create sites such as 123.hk/abc, 123.hk/ABCBank, and so on. It not only gives phishers the ability to create many phony sites based on a single domain name in order to send unique links to small subsections of users, but to also launch attacks on multiple phishing targets from the same domain. So from a single site a rock phisher could have fake sites replicating dozens of bank, retail and online auction site log-in pages.

“This means they can target a wider audience,” said Guillaume Lovet, manager of the Threat Response Team at the security firm Fortinet. “Because phishing is like a shot in the dark—you’re hoping the recipient banks at that precise bank, otherwise its not going to work. If you bank at Wells Fargo you aren’t going to try log in at Wachovia bank. So the more banks (they replicate) the wider the audience they can potentially target.”

And because the root domains are often registered with TLDs located in countries with few laws against phishing, many authorities have a harder time getting the registrar to shut them down in a timely fashion, Shraim says.

In addition, the phish kits are designed to harness the power of botnets and fast flux networks. The compromised systems within the botnet are used as a layer of proxy servers that connect the phishing victim to the fraudulent subdomain.  This so-called fast-flux network quickly switches the proxy IP address associated with each subdomain based on whatever interval the criminal determines, typically anywhere between a couple of minutes and a few hours. This way, the site is being bounced from one system to another so fast that by the time a security company asked an ISP to shut down the offending address it is no longer the one responsible for the attack.

All of this is designed to give the crooks more time to cast their nets for user credentials and personal information before they are detected, Shraim says.

“Rock phish is basically extending the livelihood of a phish attack on the internet,” he said.

According to the study done at Cambridge, a criminal typically gets about quadruple the amount of time to perpetrate a rock phish attack using fast flux networks than an attack using traditional phish infrastructure.

Rock phishing also gives the crooks a better economy of scale through automation and makes it more accessible to those without the coding chops to execute other kinds of online scams.

“The biggest thing about rock phishing is that it has made it more mass reproducible,” Cowings said, explaining that automated rock phishing kits are meant to be used even by non-technical users. “When you look at it, it is the same thing that followed suit with the development of spam. First it was sent out manually, then they started compromising machines to send from, then they started selling spamming kits to individuals to make money faster. Then there were mass mailing worms, then mass mailing worm kits. In this case there was phishing and now there are phishing kits.”

The greater ease of use offered by rock phish and similar kits has afforded the criminals the opportunity to expand their base of targets. According to a <a href=” http://www.antiphishing.org/reports/apwg_report_nov_2007.pdf “>recent Anti Phishing Working Group</a>, the number of brands targeted by phishing attacks increased by 48 percent between November 2006 and November 2007. While financial organizations still remain the most popular type of targets, rock phishers are also preying on more retail organizations, data brokers and even job sites.

 “That mass explosion to multiple verticals that tells you the scheme is quite effective from their perspective,” Shraim said with an additional warning that “any entity, any brand that has a reputation on the internet and does online transaction on the web and the ability to purchase or to sell or controls critical data that pertains to user identity should be concerned about the phenomenon of rock phish attacks. Remember this is theft on the internet. Theft is theft, it is not going to discriminate between dollars, euros, cameras or data—they’ll take whatever they can trade and manipulate and steal.”

This expansion into other sectors is what is driving experts such as Shraim, Cowings and Lovet to warn all enterprises to be wary of the additional threat posed by rock phishing. Integral in that is finding a vendor that is willing to work thoroughly to mitigate the risks posed by rock phishing to an organization.

“There are so many pieces that we need to go after in order for us to have a successful protection package,” Shraim said. “what you have to do is attack multiple front to win the battle—have to go to the registrar to disable the domain name, you have to go to the ISP to disable the scam by which the attack is residing on within that hacked server you also have to go after a proxy server, and who controls the command and control.”

In addition, organizations that find themselves the target of a phish rash may also have to worry about protecting themselves from withering distributed denial of service (DDOS) attacks.

“Sometimes in the course of rock phish attacks, they can launch a DDOS attack which is directly associated with the rock phish attack,” Shraim said, explaining that the attackers like to set the phishing messages to reply to the phished organization’s addresses in the event of bounced messages. “The entity being rock phished is getting millions of emails every fraction of a second and mail gateways are flooded with bounced emails, so the entity will be very busy trying to diffuse the DDOS attack against their mail servers while the rock phish campaign is happening.”

Beyond searching for the right anti-phishing vendor, there are other steps an organization can take to mitigate the risk of becoming a rock phish target. MarkMonitor, for one, suggests organizations build their back end systems to make it harder for phishers to take advantage of stolen credentials. Better monitoring and anti-fraud engines built into the infrastructure can make it more difficult for phishers to perpetrate the fraud. In conjunction with this, Shraim’s security team also suggests utilizing e-mail authentication technology such as SenderID or Domain Keys Identified Mail (DKIM) on e-mail systems to make it harder for phishers to send spoofed e-mail to users.

Finally, all the experts agree that user education still remains important in fighting rock phishing. Teaching users to identify rock phishing address patterns should be part of a phish fighting program. From there, security pros also suggest taking advantage of an enlightened user base to help finger the bad guys. This can be done by making it easier for consumers to report potential phish attempts through a visible link on the organization’s site and a well publicized e-mail address specifically for reporting.

Taking the proper countermeasures against rock phishing will not only help users, but could also be the key to protecting an organization’s brand.

“The biggest reason why phishing has an impact on enterprises is not necessarily based on the amount the company loses due to fraud but due to consumer confidence,” Cowings said. “If consumers are scared to use online services (organizations) actually lose money in the long run. Where we need to move to is to get people to feel confident that they can use online services safely.”