Friday, April 06, 2007

Phishing: Peeling The Covers Off of Rock

Jose Nazario writes on the Arbor Networks Security Blog:

For the past couple of years, at least, we have been watching a sophisticated, disciplined phishing scheme targeting dozens of banks around the world. By some estimates, “Rock” is responsible for about half of all phishing in the world. Rock phishes have a pretty simple set of characteristics to them:

  • They are advertised in image spam, using junk text and a link in the image to the phishing site.
  • Each phishing site has a number of unique URLs pointing to it, each URL with minor hostname variants to confound blacklists. Each URL is spammed in limited quantities to make blocking and URL sharing harder without a lot of visibility.
  • Each phishing host just silently proxies the attack to a central phishing server to ease data collection.
  • DNS resolution of those URLs changes several times an hour.
  • Rock phish events target dozens of brands at once.
  • Rock phish URLs have a characteristics structure to them (too complex to described here).

The Rock phish kit is not publicly available, does not appear to be in use by anyone else (although some basic copycats are emerging), and has a scale far beyond any other phishing schemes. It’s not to say that people haven’t been investigating, the data is just limited and peeling back the layers is tough.

Very nice write-up, Jose!

More here.

0 Comments:

Post a Comment

<< Home