Understanding and Combating Rock Phishing

Online fraud scams continue to grow by 15 percent per quarter, targeting financial institutions of all sizes as well as e-commerce venues. The direct cost to financial and e-commerce industries is significant — estimated by some analysts in the billions of dollars in 2006 alone.

One type of phishing attack has been particularly effective — the rock phish. It’s estimated that rock phishing accounts for roughly half of all phishing attacks (as measured by the number of unique URLs) and, according to some, is responsible for upwards of US$100 million in fraud losses per year.

What is ironic is that no one is completely certain as to who is responsible for these attacks. Wikipedia incorrectly refers to rock phish as a software phishing kit, whereas most security companies believe it’s the work of one group working out of Eastern Europe.

Rock Phish History

In 2005, a particularly nefarious group of phishers came to be known as the “Rock Phish Gang.” The name comes from the fact that early versions of their phishing attacks included the word “rock” in the URL (uniform resource locator).

The text is no longer present in their attacks, but the rock phish gang is still out there and continues to be a formidable menace to banks and other organizations. The rock phish gang has targeted national and regional banks throughout the U.S., Europe and Latin America.

In recent months, they’ve broadened their scope to include online brokerages, information services, treasury management companies and even social networking sites.

What Makes Them So Effective?

Like most phishers, the rock gang sends massive amounts of phishing e-mails to huge volumes of Internet users. There is evidence that they cycle through multiple e-mail lists and attempt to reach the Internet users most likely to use the brands which they are targeting.

Unlike most phishers, they don’t compromise a Web server and install a phishing site. Instead, an elaborate process is implemented whereby multiple domain names are registered at multiple registrars — often with less known country-code based top-level domains.

Multiple DNS (domain name system) servers are also set up, which provide names to IP (Internet Protocol) services for the pool of domain names. The IP addresses used — and there may be upwards of 100 a time — point to multiple compromised servers that simply forward Web connections to the real phish sites. These proxy servers typically handle connections for multiple targets at a time.

For example, we have seen instances of a single proxy server connecting to phishing sites for four different banks and two other types of organizations. The result of implementing a distributed architecture is that attacks can continue unfettered when any one element of the system is shutdown.

An additional tactic used by the rock phishers is the use of variations of the same URL to make site blacklisting a less attractive countermeasure. We have seen as many as 5,000 unique URLs in a one month period targeting a single organization.

Example of rock phish URLs:

• http://welcome23.bank.com.cbibsweb168st.ottolpre.info/confirm/submit.do/
• http://welcome24.bank.com.cbibsweb59121j.ottolpre.info/confirm/submit.do/
• http://welcome22.bank.com.cbibsweb146121k.ottolpre.info/confirm/submit.do/
• http://welcome24.bank.com.cbibsweb574721a.ottolpre.info/confirm/submit.do/

How to Combat Rock Phishing

Despite the sophistication of the rock phish group, a multi-layered approach shows success in mitigating their ability to steal credentials. As long as consumers are willing to divulge their credentials, there’s no silver bullet to defeat phishing, but there are a number of things that targeted organizations can do to make a big difference.

1. Implement an SFP (sender policy framework) or Domain Keys on your e-mail system. More and more, ISPs (Internet service providers) are rejecting, or at least sending to the spam folder, e-mail that fails SPF or Domain Key authentication. By implementing SPF or Domain Keys, you prevent users from receiving phishing e-mails.
2. Make it easy for users and the general public to report phishing to you. Please publish an e-mail address or a link to a Web form to report fraud on the home page of your e-commerce site. Place it so that anyone (customers and visitors) who visits your site can easily report fraud.

   Even if your users are not the most technically adept at identifying phishing e-mails, there are enough savvy Internet users who aren’t your customers who will see the phish site and want to report it. If you bury the information about how to report fraud three layers deep on your Web site, you won’t receive as complete and timely information about phish scams.

3. Make your e-commerce site less attractive to the bad guys. Fraudsters target banks for two reasons: the number of your users who are willing to divulge their credentials makes it worthwhile, and it’s easy for them to move money through your e-commerce site.

   Invest in back-end systems and processes so that you have visibility into how the bad guys are using your system. Are they transferring funds out via bill payment systems, ACH (Automated Clearing House) transactions, transferring funds to other accounts under their control, or something else? Once you know which system features they’re using, you can determine if you can make it more difficult for the phishers to use that feature without significantly impacting your customers.

4. Invest in user education. User education isn’t a panacea but can be relatively inexpensive to implement and still contribute to a reduction in fraud losses. It also shows your users that you’re aware of security issues and you value their trust and are taking steps to protect them. Avoid using e-mail education campaigns if possible.
5. Partner with an experienced third party anti-phishing provider. Form a strategic relationship with an experienced company that has a proven track record in responding to rock phish attacks. Work with them so they can develop a solution based on your risk profile that will help mitigate the effects of their attack. Finally, make sure you’re your strategic anti-phishing partner can coordinate activities on behalf of several targeted organizations to maximize the effectiveness of countermeasures.