Rockphish
From Spamwiki
Contents |
[edit] Description
Rockphish - One of the most prolific phishing methods currently is the so-called rockphish.
Rockphish gangs purchase many domains with registrars who are slow in taking down such fraudulently registered domains. Usually the purchases of fraudulent domains are completed with stolen credit cards that fraudsters may sell to one another in the underground market. Other services such as webhosting are purchased with stolen credit cards as well on a regular basis. The criminal gangs buy services in this manner in order to hide their own tracks.
The rockphisher typically runs its own DNS, hosting large botnets located in different parts of the world. The rockphish websites themselves are also part of the botnet hosting. Sometimes the IP addresses change on a daily basis or even faster. This quick changing of IPs is sometimes referred to as fast-flux. It is assumed that the rockphisher may purchase many domains from different registrars in the hopes that if only some domains are disabled, the rockphish botnet can stay online with the remaining domains which may be slower in being taken down because some registrars respond slowly to fraudulent activity.
There is also a similar phishing technique called botnet phishing. In these cases, more IPs appear to be involved simultaneously. It is possible that this phishing gang is borrowing from the rockphish technique. In this technique, usually one spoofed brand is used.
[edit] Characteristics
Directly accessing a rockphish domain will yield the error:
209 Host Locked
[edit] History
Rockphish was first noticed in 2005. At that time, the Rockphish URLs contained /r1/ in a folder name and because they seemed to be a bundled kit that more than one phisher could use, the name rockphish was applied to these types of phishing attacks.
Because of the copycat nature of Rockphish kits, it is hard to know how many gangs are behind this prolific approach to phishing. There are approximately 8 ROKSO gangs who are listed with Spamhaus as being involved in phishing scams.
There are a number of registrars who have been targeted by rockphish gangs: these include (partial list): HKDNR (.hk), DNS.COM.CN Beijing Innovative (.cn), .NU Domains (.nu), and Register.com. The rockphisher will buy hundreds or thousands of domains from such registrars who are slow in takedowns. They use these domains for the target URLs and for nameservers on their botnets.
[edit] Spamhaus and Nic.AT issue
In June of 2007, Spamhaus blocklisted a /24 IP address range of an Austrian registrar (.at) due to the Nic.at's lack of cooperation in a timely manner of shutting down fraudulent domain purchases. The Spamhaus Block List (SBL) SBL55483 in question has detail of what Spamhaus volunteers have done to persuade personnel from Nic.at to respond promptly to requests of fraudulent domain takedowns. This particular issue has gained some media attention. Spamhaus issued a statement regarding this issue on its website. Many have been critical of Spamhaus' attempt to get Nic.at registrar to disable the fraudulently purchased domains. In most recent events (as of July 2007), the Austrian registrar is currently disabling reported fraudulent domains more quickly than it had in previous times.
References:
- Austrian domain registrar 'aids' phishers
- Spamhaus.org setzt Österreichs Domainverwaltung unter Druck
- nic.at domains blacklisted by Spamhaus
[edit] Rockphish Example
A typical example of a rockphish URL reported in May 2007: http://session-02954047.nationalcity.com.sixpost.cn/corporate/onlineservices/TreasuryMgmt/
This URL contains a fraudulently purchased domain through TodayNIC registrar (sixpost.cn). This particular phish was spoofing Regions Bank. The rockphish gang has spoofed many dozens of banks, PayPal and eBay as well. The rockphish and its variants create many URLs similar to these in order to evade filtering and blacklisting. They run a large number of phishing sites on their botnets. A security blog reported a "Rockphish attack that generated some 2,000 unique phishing Web addresses in just two days."
Rockphish domain watch on DSLReports: this thread has near daily updates showing various rockphish domains and its botnet variants.
