Monday, October 08, 2007

Assessing a Rock Phish Campaign

The majority of Rock Phish campaigns usually take advantage of a single domain that's hosting numerous different phishing scams targeting different financial organizations. However, another trend is slowly emerging and that is the development of phishing domain farms, either taking advantage of a shared hosting as you can see in the graph on the left, or fast-fluxing the campaigns to increase the average time a phishing site remains online. Here's the interesting part acting as proof on the emerging trend of so called malicious economies of scale, and also, showcasing Rock Phish's effiency vs security trade off due to the centralization of the campaign on a single IP only. In this campaign we see a single IP (200.77.213.15) hosting 38 rock phish domains, that on the other hand in a typical Rock Phish style host multiple phishing pages targeting different companies.


Meanwhile, there's still a lot of confusion going on about what exactly Rock Phish is, and as you can see in this article, it's wrongly implied that it's some sort of a phisher's group :

"Nobody knows exactly who or what Rock Phish are -- whether it's one person or a group of people -- but security researchers believe Rock Phish is behind as many as half of all phishing attacks on the Web. Fast flux is a method by which a domain name that phishers use has multiple IP addresses assigned to it. The phishers switch those domains quickly between the addresses so that it's not as easy to find or shut down the phishing sites."


"Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle through domain names and IP addresses. They obscure their origin with botnets, which automate unwitting consumers’ computers to send out spam."

In reality, Rock Phish is a script taking advantage of the now commoditized phishing pages of each and every web property and company that is a potential victim, hosted on a single domain in order to achieve efficiency. Once the script and the phishing pages are in the wild, the entry barriers into phishing scams become significantly lower allowing novice phishers to easily launch what used to a professional phishing campaign much easier than ever.

Posted by Dancho Danchev at Monday, October 08, 2007