‘Rock Phish’ Innovates ‘Fast Flux’ to Craft Elusive Phishing Sites
The 'Rock Phish' group continues to use innovate ways and is now using the 'fast flux' method to avoid detections, according to a new security study.
Security Researchers Tyler Moore and Richard Clayton of Cambridge University tried to locate the sources of 30,000 phishing cases during February-April 2007 that arrived through the Phish Tank, an organization that tracks and clears phishing sites, during January-March 2007. The researchers found that Rock Phish was linked to the 'fast flux' method. PC World reported this on October 4, 2007.
The researchers put down their observations in a paper titled "Examining the Impact of Website Takedown on Phishing". Moore, who is a candidate for PhD in Computer Science, presented the paper in Pittsburgh at the APWG (Anti-Phishing Work Group) eCrime Researchers Summit on October 4, 2007.
Moore and Clayton's findings suggest that Rock Phish group and fast flux method are the most successful phishing attacks so far. So, if Rock Phish is allowed to continue with fast flux, it will become hard for researchers to bring down the number of phishing incidents and identify the offending parties.
Apart from the connection between Rock Phish and fast flux, Moore and Clayton's research also revealed that the phishing sites that Rock Phish created stayed active longer than common phishing sites. As a result, the group has greater scope to trap more than average unsuspecting Web surfers into their nets.
It is not clear whether Rock Phish is a collective of people or a single person, but according to security researchers, Rock Phish is responsible for one-half of total phishing incidents on the Internet. In the fast flux method, phishers use a number of IP addresses in a single domain name. They then switch the domains between the Internet Protocol (IP) addresses to make identification or shutdown of the phishing Websites difficult.
The criminal group's activities first emerged towards the end of 2004. The group was called 'Rock Phish' because its phony sites' URL (Uniform Resource Locators) names contained a subdirectory with a distinct name 'rock'. However, when phishing filters started to search the word and block the associated site, Rock Phish abandoned the technique.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 18-10-2007