Thursday, July 26, 2007

Confirm Your Gullibility

The Rock Phish kit in action. Registered yesterday, a .info domain is faking a Royal Bank of Scotland Customer Confirmation Form, and is a great indication on the convergence of spam and phishing, part of the phishing ecosystem in terms of cooperation.

Message source spoofed from : corporateclients.refj2225451hh.ib @ rbs.co.uk

Message content : Dear Royal Bank of Scotland customer,
The Royal Bank of Scotland Customer Service requests you to complete Digital Banking Customer Confirmation Form (CCF). This procedure is obligatory for all customers of the Royal Bank of Scotland. Please select the hyperlink and visit the address listed to access Digital Banking Customer Confirmation Form (CCF). Again, thank you for choosing the Royal Bank of Scotland for your business needs. We look forward to working with you. ***** Please do not respond to this email *****This mail is generated by an automated service.


Sender's IP : Listed by only one of the popular anti-spam blacklists
Domain info : buhank.info ; 81.215.226.34 ; Created On: 25-Jul-2007 18:53:03 UTC ; Expiration Date: 25-Jul-2008 18:53:03 UTC.

HTTP/1.1 200 OK
Date: Wed, 25 Jul 2007 22:21:30 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7f PHP/4.4.4
mod_perl/1.29 FrontPage/5.0.2.2510
Last-Modified: Tue, 26 Jun 2007 19:05:56 GMT
ETag: "e6c64f-23f9-46816394"
Accept-Ranges: bytes
Content-Length: 9209
Content-Type: text/html

Main index returns "209 Host Locked" message typical for Rock Phish.

Phishing URL : sessionid-02792683.rbs.co.uk.buhank.info/customerdirectory/direct/ccf.aspx
Original URL : rbs.co.uk/Bank_Online/logon_to_digital_banking/default.asp

It's cost-effective not to register a phishing domain for longer than an year, given its "lifetime", that's for sure. Having your own certificate authority is even better, given they've actually implemented it since there's no httpS option available, thus this phishing campaign is doomed to failure. And while the message and the spoofed site look relatively decent, the people behind this phishing campaign are newbies using the Rock Phish phishing kit. Efficiency of DIY phishing kits VS the quality of the phishing site. More info on this campaign and Rock Phish, as well as SpamHaus.org's recent efforts on limiting the lifetime of Rock Phish domains.

Rock Phish screenshot courtesy of Fortinet.

Related posts :
Phishing Domains Hosting Multiple Phishing Sites
Interesting Anti-phishing Projects
Taking Down Phishing Sites - a Business Model?
Take this Malicious Site Down - Processing Order..
Anti-phishing Toolbars - Can You Trust Them?