Power of the masses
Another factor adding to the rock phishing phenomenon is the globalization of host sites. Whereas the vast majority of phishing websites were hosted in the U.S. (90 percent) and targeted U.S. banks, phishing has now expanded to global financial services entities from multiple host locations. The U.S. now accounts for only 25 percent of host sites, with South Korea at 25 percent, and China and Turkey at 12 percent, according to PhishTank. This in turn has provided a much larger playing field for rock phishers to cloak their activities.
As a result, perpetrators have now moved away from the standard phishing practice of registering a domain to resemble a bank or payment site (PayPal tops the list for phishing attacks) and engage in mass registrations of hundreds of domains. These are used on either a static IP network or for creating a botnet of compromised machines to create a dynamic IP address that can’t be traced back to the perpetrator. In this scenario, the registered domains bounce back and forth between thousands of infected computers making it almost impossible to contact the appropriate ISPs to help mitigate the damage. In some cases, by the time one ISP is contacted, the attack has already moved locations several times over.
This year, BD-BrandProtect witnessed an average of 350 domains involved in a typical rock phishing attack – which translates into 350 times the effort required to get it resolved. The highest seen to date is 613 targeting one specific client, but other financial organizations have been noted as being under attack for months on end.
Many of the domains are with registrars in locales such as China and Eastern Europe, making it even harder to gain traction with ISPs who have less freedom to take immediate action. Requests to disable sites in some regions can require a myriad of procedural steps through government agencies and law enforcement authorities. This further limits the ability to shut down rock phishers with any expediency.
The layer of complexity in dealing with rock phishing attacks is a relatively new challenge for the industry. With the right processes and tools in place, a rock phishing domain can be shut down within 24 hours of contacting the registrar. The challenge, however, is that the attacker is continuing to register domains while other sites are being shut down, so mitigation of rock phish attacks can take upwards of two or more weeks. It’s possible to find 10 domains used in an attack against a company and shut them down, only to discover 20 new ones. For the most part, however, these attacks can be demobilized in less than two weeks, if handled appropriately.
Honeypots to the rescue
In order to mitigate the risk of continued attacks, a honeypot strategy is employed. This involves seeding the Internet with many email addresses intended to attract large volumes of spam. This spam catcher, or honeypot, captures email messages from any new domains added to the rock phish attack as they appear so they can be neutralized immediately (the average life span for a rock phishing domain is 24 hours).
The most nefarious aspect to rock phishing is that it is a system that can attack as many targets as it wants. There are even phishing kits that allow perpetrators to launch hundreds of attacks simultaneously. In the example above, 613 domains were used to host phishing sites targeting hundreds of different institutions. This is a very different scenario from what is typically witnessed when handling the average phishing attack.
Clearly, given the sophistication of rock phishing attacks, this is not a threat that can be handled simply through the addition of more sophisticated security policies. These attacks require a systematic approach, industry-specific expertise and a network of industry affiliations including global ISPs and law enforcement agencies. This must be coupled with an in-depth working knowledge of Web-based application vulnerabilities and an unrelenting effort to understand and adapt to the ever-changing landscape of threats in hopes of matching the sophistication of the attacks. Doing this will result in an effective force to combat these types of online threats.
Once criminals realize the full weight of the resources brought to bear on the threat shut-down process, they will quickly look for an easier target. Therefore, it is incumbent upon organizations to recognize that that their online presence is an asset which is vulnerable to attack, and as a result, need to put in place the appropriate monitoring mechanisms, and act immediately in the event of suspicious activities.
Author Dave A. Greenwood can be reached at: dgreenwood@bdbrandimensions.com
< Previous |
