Inside Rock Phishing

Phishing is no longer a worry solely in the domain of eBay, PayPal and major financial banks. Thanks to a sophisticated attack dubbed rock phishing, the targets of phishing attacks have widened and the attacks have become more pervasive, longer lasting and harder to block.

Rock phishing gained its funny name back in 2005 when security researchers first noticed the phenomenon. They were seeing a large number of phishing sites crop up in a pattern-like manner, where a single malicious domain could act as seed for many unique phishing subdomains. One of the unifying factors of all these sites was that at the time most had subdirectories containing the word ‘rock’ within them.

As researchers looked into the increasing number of these types of phishing sites two things became evident.  First, this massive volume of sites was being generated by an automated kit. And second, the kit was the handiwork of a shadowy group of criminals they dubbed the “Rock Phish Gang.”

According to a study conducted by researchers from Cambridge University, more than 50 percent of more than 35,000 unique phishing attacks between February and April 2007 were rock phish attacks perpetrated by this gang.

But it isn’t just the Rock Phish Gang getting in on the rock phish act any more.

“Now it is many gangs and is basically a technique that is being duplicated across the Internet by online thieves that would like to steal from anyone who is available to be stolen form,” said Ihab Shraim, Chief Security Officer for MarkMonitor, an enterprise brand protection company.

The gang’s method has proliferated throughout the Internet—its brainchild worked so well that other criminals were attracted to replicate the code or make their own kits.  

 “A lot of other phishing kits are starting to just get referred to as rock phish, where it is almost synonymous with phishing kits—sort of like Kleenex with tissue,” said David Cowings, senior manager of operations for Symantec Security Response. “It started out with one individual group (using them) but now it has turned into open source code which everyone uses for their own means.”

Since its first discovery, rock phishing’s productive sites no longer use the telltale “rock” within their addresses—they became too easily detectable by security filters set to look for the word. However, the moniker remains—even if it is sometimes confusing since it refers to the gang that invented it, the method itself and to the kits that perpetrate it.

Like traditional phishing attacks, a rock phish attempt is geared toward gaining a vital piece of information from the user to hijack an account or steal an identity. But even though the name of the game is very similar, these attacks are very different behind the curtains.

“This is not your standard phish attack where you spoof the headers of the email and you try to lure the user to click on a URL,” Shraim said. “It uses multiple tactics: botnets, fast flux networks, proxies, traffic load balancers and redirectors, as well as DNS record manipulation. The combination is used in one attack. This is more sophisticated, more targeted and quite relentless (compared to a standard phish).”