Phishing Metamorphosis in 2007 - Trend and Developments

by Dancho Danchev [Published on 12 Dec. 2007 / Last Updated on 12 Dec. 2007]

An account of various trends and developments that phishers embraced during 2007, and what are the driving factors behind the huge percentage increases in phishing emails during the year.

During 2007, phishers demonstrated for yet another consecutive year their persistence and creativity on their way to socially engineer as many people online as possible, into believing they are who they pretend to be. Why did phishers embrace economies of scale during 2007, what factors contributed to the constantly shrinking period of time it takes for the phishers to come up with a fake email, and how come that despite all the public awareness put into the problem, people still fall victim to phishing scams? This article aims to provide an overview of the key factors that contributed to the growth and evolution of phishing during the year.

The State of Phishing in 2007 - Standardizing Social Engineering

The latest report courtesy of the Anti Phishing Group, provides some informative avarages regarding the time a phishing site remains online, a key factor for the success of the phishing campaign. For instance, August's APG report states that that the average time online for site was 3.3 days, and the longest time online was 30 days. As you can imagine, the longer a phishing campaign remains online, the higher the probability that the recipient will land on a fully responding phishing page, thus get phish-ed. In between the Internet's community collective intelligence on coordinating the timely shutdown of newly appearing phishing domains, there are vendors already trying to commercialize the process of shutting down a phishing campaign targeting their brand in particular. Such prioritization may indeed be financially justifiable in the wake of some recently released survey results stating that the brand's customers lose trust if they receive a phishing email pretending to be from the company, which is happening so often that it takes a Brandjacking Index to keep track of all of these activities.

Security vendors, third-party research groups, and Internet community projects such as Phishtank are indicating an enormous increase in the number of phishing emails circulating in the wild, as well as the unique domain names corresponding to them. This increase is mostly due to the following key concepts that I'll discuss in this article, namely, do-it-yourself phishing kits, the availability of phishing page templates for every financial and web company that is out there to be phished, the consolidation between phishers who excell at social engineering with spammers who excel at delivering segmented emails to better target. All this contributed to phishing’s metamorphosis from a badly managed single group operation to an efficiency centered process including numerous domain farms, each of which including countless subdomains targeting different brands courtesy of the Rock Phish kit. Several years ago, the concept of anti-phishing toolbars started getting some public attention given the lack of browser built-in protection approaches detecting common phishing site characteristics and the current availability of browser protection from phishing attacks, clearly demonstrates how big of a problem, phishing has become, especially in respect to the big picture of how it’s undermining the trust in E-commerce. Let’s illustrate the problem and how it evolved, buy discussing some of its most important dynamics :

The Key Concepts Contributing to the Increase of Phishing Attacks

Consolidation with Spammers

If you think about consolidation, start by taking into consideration the ongoing one between spammers and malware authors that I discussed in a previous article, namely spammers need the infrastructure to send out all the emails from, which they acquire from botnet masters, or use on demand. Phishers also need these very same prerequisites to exist, in fact this malicious ecosystem is getting harder to keep track of, since it’s still unclear who is vertically integrating more than the others, namely are malware authors spamming for themselves looking for higher returns, are spammers also sending phishing emails in between malware, and how realistic is the situation when phishers are also sending banking trojans just in case the recipient does not fall victim to the phishing scam? One thing is certain– they are finding new and more effective ways to work together. What is it that a phisher may want from a spammer, and are these mutually exclusive or pretty much the same parties?

It is all a matter of perspective. A phisher would be interested in localization of the message in the local language, segmentation of the emails on a per country basis, perhaps even data mining social networking sites and the public web site to come up with some sort of relationship between an email and a brand that is about to get phished. Let’s illustrate this. Consider a recipient that has absolutely no business relations with the brand that is informing him of a “security incident that requires a verification of their accounting data”. The recipient will not fall victim to this and will perceive it as a phishing email. Given that phishers do not want this to happen they will enjoy the benefits of the spammers know-how in the form of segmenting to email databases they currently possess on a per country, per city basis, thereby improving the chances of a phishing email targeting a German bank, for instance, arriving in the mailbox of a native citizen.

DIY (do-it-yourself) Phishing Kits – Point’n’Click Phishing Email Generation

Lowering the entry barriers in the phishing scene is analogical to the lowering of the entry barriers in the malware scene, namely due to the introduction of DIY (do-it-yourself) phishing kits which aim to save a significant amount of time for the phisher looking for an efficient way to input the login data forwarder in as many phishing page templates as possible. This is what DIY phishing kits are all about, and these very same turned into a commodity during the final half of 2007, with one of the kits already reaching a v.2.0 stage. Such kits make it possible for almost everyone to easily enter the phishing space. Thus they are directly responsible for the increase of phishing attacks. New versions with more advanced features such as direct uploading of the phishing page to a syndicated set of URLs are poised to follow given the success of the first two versions.

The Rock Phish Kit – Phishing Economies of Scale

There is a common misuderstanding regarding what Rock Phish is. Is it a phishing gang, is it some kind of a DIY phishing kit where phishers point’n’click to come up with these successful phishing campaigns you are hopefully aware of? The answer is that the Rock Phish Kit is a simple script with lots of variables, where the phishers take advantage of a single domain to come up with numerous subdomains of different companies, each of these responding with a different phishing page, targeting a different brand. Here's an example of a Rock Phish domain farm (View Image).

The following IP, 212.199.95.108, has been re-appearing on my radar for quite a while, and therefore it is a perfect example of a Rock Phish domain, namely a domain that is hosting multiple subdomains each of them resolving to a unique phishing campaign, serving a unique and legitimate looking phishing page. And this is how sample rock phish URLs look like :

  • userconfirmationform-id91705.ebay.com.buhank.info
  • moneymanagergps.session-569906917.citizensbank.com.floher.biz
  • webinfocus.id-40462.mandtbank.com.hobotid.hk
  • myonlineaccounts5.abbey.co.uk.refid83617.njexnz3.xz.cn
  • nfbconnect-18108.northforkbank.com.stack.kg
  • onlinetreasurymanager-id9038673.suntrust.com.utr.hk
  • business-eb.bbt.com.mio23.mobi
  • id-57546.citizensbankmoneymanagergps.com.gkiier.hk
  • securelogin-03788828.moneymanagergps.com.dfv92.com
  • citizensbankmoneymanagergps.com.yrmat3.xz.cn

Monitoring Rock Phish domains is always informative since the script that is empowering the hundreds of thousands of these phishing campaigns is slowly becoming the default phishing toolkit on a large scale. For instance, a couple of months ago, the default message on each and every Rock Phish domain was "209 Host Locked", but since it became relatively easy to locate such domains, the phishers recently changed it to "66.1 Host Locked". Rock Phish's only weakness is that of its “efficiency approach”. When shutting down the IP that is maintaining the domain farm, all the phishing campaigns will stop responding. Moreover, centralizing the phishing campaign in such a way makes it easier to block it.

Conclusion

It is very interesting to monitor the process of how much promotional efforts financial institutions put into providing E-banking and E-transaction services, while on the other hand benefiting from the fact that it is customer who has signed an agreement that implicitly says that the bank cannot be held liable for any fraudalent transactions. Phishing should not be treated as something different than spam. It is an unsolicited message, whereas compared to a spam message a phishing email could cause far more serious financial damage. The point is that it should not reach the user’s mailbox, and it should not go out of a certain infected host’s network. Phishing is still largely in its 1.0 stage. Namely, it is a push approach of sending the emails to the victim, next to more advanced approaches such as pharming.

Moreover, phishers, just like spammers are very adaptive, and the very latest MySpace phishing campaign indicates their interest in combining different tactics to not just establish more visual trust by using typosquatting, but also figuring out how to remain beneath the vendor’s radar. In the MySpace campaign they weren’t spamming the phishing URLs, but posting them as internal spam comments, so that no vendor’s sensor will ever pick them up. And despite the logical metamorphosis of phishing from a well formulated direct marketing message to its current mass-communication model, building awareness via a technological solution in the form of built-in browser protection is partly holding the gates for the time being. The “best” is yet to come.

See Also


The Author — Dancho Danchev

Dancho Danchev is an independent security consultant that has extensive experience with security practices such as -- penetration testing, malware, risk management, and strategic security consultancy. Besides his active contributions to the scene, Dancho is also involved in business development, marketing research, and PR activities for numerous organizations, both security, and new media ones. He maintains a popular information security blog sharing real-time threats intelligence data with the rest of the world on a daily basis.