This group, known as the Rock Phish gang, through the effective use of good technology development, efficient systems set-up, and their system deployment skills, has developed an attack methodology that makes its fraudulent-access efforts a lot more difficult to trace and defend against, claims MarkMonitor, a leading player in enterprise brand protection and anti-phishing techniques.
In the early days, when phishing was little more than a loosely-targeted, social engineering scam that boosted the volumes of spam attempting to gain access to our inboxes, much of it was low-quality, untargeted and easy to spot; as long, of course, as we as individual users had been educated to understand what phishing attacks were intended to do.
Today, we have targeted spear phishing, man-in-the-middle attacks, drive-by-phishers, and of course pharmers; a somewhat eclectic mix of attackers who are intent on getting their hands on our personal and financial information assets.
This year, it has been identified that Rock Phishers are employing several techniques that make them more difficult to defeat than other earlier forms of phishing attack. They employ an elaborate, multi-tiered approach to the attack model. First of all, they use the stolen credentials of their victims to register multiple domain names at multiple registrars. They then host their own authoritative DNS servers using wildcard records to provide multiple names to IP services for each of the fraudulently registered domain names. Each IP address then points to multiple, compromised PCs (botnets), which act as proxy connections to the source servers that host phishing pages for around 20 or more fake websites.
Using this distributed architecture environment, where each layer of the infrastructure (DNS, proxy server, and back-end server) contains multiple redundancies and multiple variations, the operational advantage appears to be currently with the phishers. Generally speaking, traditional phishing sites can be defeated by straightforwardly removing the hosting website or domain, whereas with the Rock Phishing approach, sites share hosts and domains, and if one is removed, the site automatically switches to another.
Timeline comparisons between the longevity of traditional phishing approaches and the Rock Phishers are interesting. Sites that host normal phishing attacks tend to stay up on average for around 58 hours, whereas Rock Phishing domains are said to last close to double that period at over 94 hours.
MarkMonitor, a security company that has now developed its own anti-phishing strategy to deal with Rock Phish attacks, claims to have seen as many as 5,000 unique URLs targeting a single organization within a one-month period, and suggests that this high number indicates that today, approximately 50% of all active phishing URLs are linked to the Rock Phish approach. It also recognizes that the approach is growing in intensity, and the likelihood is that other players in the marketplace will monitor success levels and start to use copycat approaches to improve their own attack efficiency levels.
Whether the attackers’ IT skill levels are high or extremely basic, the phishing marketplace appears to have a delivery model to suit all. It is easy to get carried away with the technology hype that goes with each new form of threat. On the other hand, it is also clear that the requirement for improved defense techniques will need to be properly addressed to combat the technology-driven approach of Rock Phishers.
However, more could be done to assist individuals to help themselves. Most phishing attacks rely on a lack of understanding on the part of the recipient; a situation that could be significantly improved through education, especially if financial institutions and the mainstream media got together to provide better information on the subject.
Source: OpinionWire by Butler Group (www.butlergroup.com)
