Phishing under the Microscope : 2007 : Frequency-X Blog : Blog : Home | ||
|
Phishing under the Microscope When discussing phishing, most people I meet are only all-too familiar with the spam-based email flooding their inbox and the cloned websites waiting out there to suck down their banking credentials and steal their identity. But many of them have no inkling as to the mechanics and logistical challenges behind the attack. In recent weeks you’ll have read some postings from me about phishing statistics and the use of kits to deploy an attack. What I’d like to do now is shed a little more light on the way in which professional phishing gangs organize their attacks. The thing to remember is that professional phishing is a business. There are gangs out there whose sole occupation is to catch-out the small percentage of people who fall victim to their electronic deception and fraud tactics. But you should also recognize that phishing is only one section on an organized crime conveyor-belt. Phishing Mechanics Lets take a step-by-step look at the mechanics behind many of the more voluminous phishing attacks conducted by “the professionals” in recent times. If it sounds like a recipe from a cookbook, that’s because it is – crime can also follow a copy-paste strategy.
Armed with this operational environment, the phishers can rapidly add additional bot-agents (or pick another botnet entirely) in whac-a-mole fashion as law enforcement shuts down each compromised host. If one of the registered domains are successfully taken-down, the phishers merely use one of the others that are still up and proceeds to register a few more. It’s probably worth noting that one of the ways in which we can identify one phishing gang from another is from the botnet proxies they use. For example, discerning attacks conducted by the “Rock Phish” gang from numerous phishy clones and copy-cats. Growth of Fast-flux “Fast-flux” is a term that sprung up in early 2006 to encompass the evolution of the rapidly changing DNS resolution services used by the phishing gangs. With Fast-flux hosting, the DNS servers not only round-robin cycle through a list of A-records and NS-records, but they also assign very low TTL’s to the records (typically sub-five minutes) – which redirect to their proxy bot-agents. This rapid cycling of DNS records means that the loss of a few hosts from the botnet doesn’t really result in much downtime in the Phishers attack. Taking down a Phishing Net As you can probably see, taking down a phishing Web site is not as easy as many people think it is. The phishers have taken great care to build a resilient and scalable framework for their attacks. The key to taking down a “Phishing Net” really revolves around the closure of the DNS resolution services because, once shut down, the potential victims that received their phishing email can then no longer find out the IP address of the fake Web site and therefore cannot be fooled into disclosing their confidential or personal information. In order to takedown a phishing domain that is using this arrangement of DNS resolution services or Fast-flux configuration, it requires an organization to work closely with the registrar to erase the glue records of the name servers and to change the status of the domain (if an EPP domain) to “Client Hold” or “Client Update Prohibited” (or equivalent). If this is not done after erasing the glue records, the phishers system will automatically change to a new address without intervention from the registrar, and the takedown will fail. It’s probably also worth noting that, from an internal corporate perspective, a lot of these automated phishing URL’s (that make use of the wildcard DNS for long host name resolution) can be trivially stopped just by enabling a filtering rule that limits the length of the host name within the URL to no more than four or five levels. For example www.example.co.za would be OK, but www.mybank.co.uk.c001786.index.asp.hackhack.cc wouldn’t be. |
|