Monday, October 08, 2007
Assessing a Rock Phish Campaign
The majority of Rock Phish campaigns usually take advantage of a single domain that's hosting numerous different phishing scams targeting different financial organizations. However, another trend is slowly emerging and that is the development of phishing domain farms, either taking advantage of a shared hosting as you can see in the graph on the left, or fast-fluxing the campaigns to increase the average time a phishing site remains online. Here's the interesting part acting as proof on the emerging trend of so called malicious economies of scale, and also, showcasing Rock Phish's effiency vs security trade off due to the centralization of the campaign on a single IP only. In this campaign we see a single IP (126.96.36.199) hosting 38 rock phish domains, that on the other hand in a typical Rock Phish style host multiple phishing pages targeting different companies.
Meanwhile, there's still a lot of confusion going on about what exactly Rock Phish is, and as you can see in this article, it's wrongly implied that it's some sort of a phisher's group :
"Nobody knows exactly who or what Rock Phish are -- whether it's one person or a group of people -- but security researchers believe Rock Phish is behind as many as half of all phishing attacks on the Web. Fast flux is a method by which a domain name that phishers use has multiple IP addresses assigned to it. The phishers switch those domains quickly between the addresses so that it's not as easy to find or shut down the phishing sites."
"Of particular concern is an increase in “rock phishing,” originated by the Rock Phish Gang based in Eastern Europe. Rock phishers use stolen information to register and rapidly cycle through domain names and IP addresses. They obscure their origin with botnets, which automate unwitting consumers’ computers to send out spam."
In reality, Rock Phish is a script taking advantage of the now commoditized phishing pages of each and every web property and company that is a potential victim, hosted on a single domain in order to achieve efficiency. Once the script and the phishing pages are in the wild, the entry barriers into phishing scams become significantly lower allowing novice phishers to easily launch what used to a professional phishing campaign much easier than ever.
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. PGP Key ID: 83BF0DBA Phone: +1 646 419 4540 Approach me firstname.lastname@example.org