Rock Phishing

In association with heise online

Phishing gangs also rely increasingly on proxies and Fast-Flux services. Experts estimate that the highly successful phishing kit Rock Phish is now responsible for about half of all phishing sites. It differs from normal phishing tools mainly by separating the back end containing the actual phishing pages but without direct "customer contact" from a front end whose address gets circulated via emails. This front end usually consists of compromised systems with proxies which can easily be replaced.

The central Rock Phish server holds the actual phishing pages. Only the easily replaceable proxies are actually in contact with the victim.

In this way, a phisher can set up several crafted bank pages on one server without divulging their addresses and therefore without the need for bank-related names. The systems whose addresses will be visible to the victims, on the other hand, contain neither suspect web pages nor log files. An inconspicuous background service will be instructed to forward requests to the back end and return its responses.

In addition, versions of Rock Phish have emerged which operate with very short-lived DNS entries in Fast-Flux fashion and use hundreds of IP addresses. And this technique is scarily successful. The University of Cambridge Computer Lab has established that the average life span of Fast-Flux phishing domains is about eight times longer than classical phishing domains - about 19 days instead of two and a half days (454 instead of 58 hours [1]).

But money isn't always the direct object. Recently, a phishing attack using a Double-Flux network targeted the access credentials of MySpace users: The typosquatting name login.mylspace.com was resolved by ever-changing name servers which redirected it to varying proxy systems presenting seemingly genuine login pages.

American media even report that a similar attack in June compromised nearly 100,000 MySpace accounts via Fast-Flux servers. Yet again, MySpace was used as a test lab for a new worm species which spreads through a specific medium. The compromised accounts were immediately used to set up new phishing traps. When a link was clicked, it in turn opened a login page whose actual origin was masked by a Fast-Flux network.

Conclusion

Proxies and Fast-Flux networks increase the life span and therefore the earning potential of these criminals' main infrastructure. For the criminals it is consequently a highly profitable investment to convert their malware, and the necessary adaptations are already well under way.

The "good guys", on the other hand, who aim to shut down a botnet or phishing site are now not dealing with one single server, but with a Hydra whose heads renew continually. Efforts to shut down hundreds or even thousands of proxies would be doomed to fail.

Shutting down the central server in the background instead, however, requires additional investigation. First, one of the proxy bots needs to be traced via its IP address - this can be quite involved. Usually, providers will only reveal the names and addresses of their customers to criminal prosecutors when an official investigation has been launched. The investigators then have to analyse or confiscate the computer on site - usually in a different country. This computer will neither contain log files nor other traces of previous malicious activities. Therefore, investigators have to wait until the proxy service is reactivated. This already implies that investigators cannot hope to trace and shut down a malicious server within hours or days, but more likely within weeks or months.

The most important point of attack for shutting down a botnet or phishing site directly and quickly is, therefore, the Domain Name Service. After all, attackers have to use it for distributing their IP addresses. However, registrars often co-operate even less than web hosters when it comes to shutting down potentially misused resources within their field of responsibility. While to them the defendant is primarily a paying customer, the complainant is merely a troublemaker from outside. The central Austrian domain registrar NIC.at, for example, recently persistently refused to shut down more than 60 Rock Phish domains which were used for attacking banks [3]. (ju)