Wednesday, September 12, 2007

209 Host Locked

Ever came across this fake error message? A "209 Host Locked" message on a fraudulent domain is the default indication that you're on a Rock Phish domain, that is a single domain hosting multiple phishing campaigns aimed at different financial institutions. And as more Royal Bank of Scotland phishing emails are cirtulating in the wild, these very same emails pointed me to a Chinese Rock Phish campaign which was shut down as of yesterday. What is different in this campaign, compared to the previous one? The phishers put more efforts into ensuring the phishing email gets through spam filters by using spacing, adding _ in front of random words, as well as the usual garbage content at the end of the email. All the URLs within the campaign are already in the Phishtank,'s wisdom of the anti-phishers crowd continues exposing Rock Phish domains on a daily basis, an effort worth keeping track of.

The Rock Phish Kit is the logical evolution from DIY phishing kits like the one I've already blogged about, however, both concepts are not mutually exclusive but apparently tend to work together. The DIY phishing kits on their part are largely used in the planning stage of the phishing campaign, that is, fake sites get generated and the data obtained forwarded to a single place, which is where Rock Phish starts getting used, namely, in the execution stage, where all the phishing pages generated get hosted on a single domain. Phishing efficiency vs Rock Phish's weakness due to centralization of numerous campaigns on a single domain - it's the phishers' trade-off. Within the phishing ecosystem, there's are numerous approaches phishers tend to use to achieve maximum efficiency, ones I've already discussed in a previous post. The most prolific problem to me remains phishing 1.0's "push" model that is still remarkably successful compared to the more advanced man in the middle phishing attacks and pharming. From my perspective, if a financial institution really wants to protect its customers from phishing scams, it would first segment the threat, evaluate its customer's perception of it and current level of awareness, and then start an educational campaign aiming to not teach them how to recognize whether a site is a phish or not, but how to report and ignore the "push" models emails that arrive in their mailboxes. From another rather pragmatic perspective, phishers don't just load images for their phish emails from the company's website, but also the majority of phishing emails redirect to the real web site after the data was submitted - an early warning system by itself.