Antiphishing filters basically work eitheron block listing or on heuristics. "Rock phish" attacks are quite arecent phenomenon that has posed a major challenge to both of the abovementioned antiphishing filters, simply because the unique structure ofa Rock phish attack circumvents antiphishing filters. This phishingtechnique can be traced back to somewhere around August 2006. The URLstructure was comparatively simpler then, consisting of a randomizedroot domain and three sub folders. But the principle cause in therecent surge in the number of such attacks is traced to the botnetphenomenon. So, what then is so special about Rock phish? Well, thistechnique has a trademark method of striking naïve targets.
The URLs that navigate to the fraudulent Web sites have a uniquestructure. For example, the structure of this URL is Rock phishingspecific: http://www.xxx.xxx.user123990.com/login/challange/2b593cba/login.php.As a matter of fact, it gets extremely difficult to judge between alegitimate site and a fraudulent one unless you look closely at theroot domain, which is "user123990.com" as highlighted in the URL above.The root domain comes before the first forward slash (/) in a URL.
To attempt to get to your money the Rock phish community offraudsters begins their spade-work through botnets that releasemillions of spam mails containing a message from a financialinstitution, hopefully enticing you to click on a fraudulent URLmentioned in the mail. The prey falls into the trap by doing so. Thenfollows the second stage wherein the prey is lured into giving upconfidential data that could be a login password, bank info, creditcard details, or a social security number, etc. Within an instant thewhole drama is complete, the coveted data is obtained, and your moneyis siphoned out.
Given below is a set of fraudulent Rock phish URLs to get your eyes accustomed to their structure:
1. http://XXX.xxx.xxx.ebank-service.com.nubi.signin138003006.aspx.vdw3.com/Secure_Authentication.htm
2. http://XXX.de.e-koy.com.es/kundendienst/anfang.cgi/frame4.htm
3. http://XXX.de.fmkmemw.hk/kundendienst/anfang.cgi/frame4.htm
4. http://XXX.com.refid02854442.gopo45.li/service/default.aspx/refererident.htm
5. http://XXX.co.uk.legalidport.hb.cn/securesession/action.aspx
6. http://XXX.XXX.com.36343477.sapisss.eu/sc/saw-cgi/xxxISAPI.dll/index.php
Because the root domain is the unique feature of Rock phishing, let's delve deeper into their specific characteristics:
1. The root domain is recently created.
2. The registration is done in a randomized country domain, especially some of those that aren't under the antiphishing group's watch or that of law enforcement agencies.
3. The name server is another important point to be noted.
Domain Name: FMKMEMW.HK
Domain Name Commencement Date: 09-11-2007
Country: HK
Expiry Date: 09-11-2008
Re-registration Status: Complete
Company Name: YAN IUAN HO
Name Servers Information:
NS1.POLO456.COM
T1.BAR-BAR-COM.COM
DOT2.VILOPR.CN
It is interesting to note that before these bogus domains areidentified and blocked, fraudsters have already done the damage.Looking at the Rock phish URL more carefully you will see some randomnumbers with a few alphabet characters in it. These are alphanumericfigures. Such a methodology is used to randomize and make the URLstring unique, complex, and difficult to differentiate from alegitimate one. By the way, such alphanumeric figures are widely usedin legitimate URL strings as well. The makers of Rock phish exploitthis common practice to the best of their advantage.
Now there are Rock phish fraudulent URLs that have blended threats,such as Trojan programs, viruses, and malware embedded in them that canseverely damage computers. One suchexample—hxxp://xxx.session-12034016.xxx.bank.com.modid7.li/forms/clientcare.apx/—containsTrojan-Spy.HTML.Bankfraud.sp.
So we could easily expect a pandemic type of situation in the nearfuture. If Rock phish emanates from botnets, then we need to be wary ofbotnets that stealthily enter computers through social networking,pirated software, free downloads, and other tricks such as fakesecurity updates for commonly used software.
In conclusion, we can say that Rock phish URLs are engineered withspecific brands in mind. A clear pattern seems to be panning out intheir attacks. After meticulous observation, we can safely concludethat the makers of Rock phish have certainly revolutionized the art ofphishing. They are sophisticated and hardcore technicians and arematuring to be experts in the field of spam and fraud. They certainlyseem to be advanced in technology, using fast flux architecture tochange name servers and site location in an instant, automating proxyservers to such an extent that if one is downed it automaticallyswitches on to the next. Thus, they are able to lengthen the life spanof Rock phish URLs and make them stealthier. Therefore, it isabsolutely necessary for everybody to become well acquainted with Rockphish to prevent becoming their next victim.
Note: My thanks to Christopher Mendes, Sr. Analyst in Security Response, for his hard work in analyzing this threat.