Phishing FAQs
Rock Phishing
Angling for Rock Phishers
How to beat the attackers at their own game
In today’s world, organizations that conduct any business online are aware of the various threats that they may be subject to. While basic threats such as phishing attacks, worms and trojans are familiar terms for any IT or security professional, traditional methods associated with fraudulent activity have evolved to new and advanced levels of complexity.
These more sophisticated threats are not only increasingly difficult to pinpoint and control, they can cause extreme devastation to those impacted by this type of cyber crime. For example, there is the phenomenon known as rock phishing. This activity differs from traditional phishing attacks due to the significant difficulties encountered when attempting to shut fraudulent domains down. It is a prime example of how online attackers have evolved the techniques used to steal sensitive information from their victims.
With the abundance of sophisticated virtual threats such as rock phishing and others, it is imperative that organizations utilize Web monitoring technologies and services in addition to their own internal security procedures. This will ensure that the appropriate measures are put in place to prevent not only the company, but customers as well, from falling victim to these types of attacks.
In this article we will examine the rise of rock phishing, the ways in which this malicious type of online attack harms its victims and how companies can protect themselves from this new breed of cyber crime through continuous online vigilance and by ultimately gaining control over how they are represented online.
The beginnings of it all
Rock phishers work by registering a large number of domains, which are used to host scripting files that send and receive information from the perpetrator’s main host. These types of attacks are hosted in such a way that they can be displayed on any compromised machine controlled by the perpetrators. Furthermore, advanced scripting set up by attackers allows the domains to move from ISP to ISP without any human intervention. Given that these types of online criminals have a deep knowledge of and experience in online exploitation, finding the source of and controlling damages done as a result of a rock phishing attack becomes extremely challenging.
In order to understand the “underpinnings” of rock phishing and mitigation options, perhaps it is best to start with a bit of history. Phishing – the act of fraudulently acquiring sensitive information (e.g. passwords, credit card/banking information) by masquerading as a trusted company in an electronic communication – began to move into the spotlight of online fraud about four years ago. Even though there had been incidences of a similar nature in prior years, the last four years has seen a rapid increase in the activity, with financial institutions and payment services being the most popular targets.
When phishing began it was orchestrated using a very basic format. Typically attackers would use free Web page services to set up sites that would look like a legitimate bank or other type of company. These were relatively ineffective and simple to stop before a significant loss resulted. When this type of activity was identified, the Internet Service Provider (ISP) was contacted and the site shut down. Given the limited number of free Web page hosting services, phishing activities were confined and few people were aware of the problem.
The URLs for the most part were not even very convincing, so it was easy for any observant person to pick up on the anomalies. The URL for a standard phishing site was typically the IP address or domain name with a slight variation. For example, a legitimate bank site such as www.thebank.com could appear as www.thebank1.com or www.the-bank.com.
The main motivation for these early phishing attempts was acquiring credit card information. Online banking was still in its “larval” stages, so there was not much activity relating to stealing account information.
When a significant portion of banking activities moved online, this expanded the scope of personal information that could be captured by the attackers. This ability to gain more than simple credit card numbers has led to a serious upswing in the sheer volume – and complexity - of phishing sites. Sites started to become more sophisticated in their ability to mimic the legitimate site, fake URLs became less obvious than previous iterations and harder for users to identify, and triggers for noticing fraudulent sites were far less obvious.
Rather than simply setting up a single site, attackers were becoming increasingly sophisticated; setting up multiple pages to circumvent detection. Attackers would then operate one site, capture as much information as possible in a period of time and then move on.
To provide a sense of the growth in phishing today, the total number of suspected phishes submitted by the PhishTank (www.phishtank.com) community was 25,647 for the month of February 2007. Of those 19,947 were verified as valid. In the month of May the number jumped to 53,263 of which 43,789 were verified.
The rise of rock phishing
It was in 2004 that we saw the genesis of the rock phish attack. The name stems from the first recorded attack in which attackers employed wild card DNS (domain name server) entries to create addresses that included the target’s actual address as a sub-domain. For example, in the case of a site appearing as www.thebank.com.1.cn/thebank.html, ”thebank.com” portion of the domain name is the “wild card”, meaning it’s presence is purely superficial – it is not required in order for the phishing page to be displayed. “1.cn” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “1.cn/thebank” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path. The first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack as we know it today. To date, it is estimated that rock phishing has already cost businesses and consumers in excess of $100 million in damages, and it continues to grow.
Until this attack, phishing was becoming more pervasive, but was far from mainstream - in large part because free Web services only allowed for limited activities. More recently however, attackers have found a more surreptitious way to launch attacks through legitimate websites themselves by exploiting common vulnerabilities in the software running on the sites. Unlike popularized software applications that openly announce changes, automate updates and provide open access to programming tools, administrators often have to spend time seeking out Web software updates and security weaknesses. This delay in - or sometimes complete lack of – action provides ample opportunity for attackers to do considerable damage.
In addition, there has been a move to make website software more accessible to the non-tech user so they can create their own Web pages. The drop in the sophistication levels of the Web masters makes the risk of rock phishing higher – and the opportunity to catch these sites and shut them down in a timely manner much lower.
At the same time, perpetrators for their part have taken it upon themselves to become well-versed in Web server technology. These are not the typical casual hackers that typified the “phisher kings” of past years. These are highly sophisticated, well educated, highly coordinated teams of people with exceptional technology skills.