funsec mailing list archives
Phishing: Peeling The Covers Off of Rock
From: "Fergie" <fergdawg () netzero net>
Date: Fri, 6 Apr 2007 21:03:46 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Very nice write-up, Jose! Via the Arbor Networks Security Blog. [snip] For the past couple of years, at least, we have been watching a sophisticated, disciplined phishing scheme targeting dozens of banks around the world. By some estimates, Rock is responsible for about half of all phishing in the world. Rock phishes have a pretty simple set of characteristics to them: * They are advertised in image spam, using junk text and a link in the image to the phishing site. * Each phishing site has a number of unique URLs pointing to it, each URL with minor hostname variants to confound blacklists. Each URL is spammed in limited quantities to make blocking and URL sharing harder without a lot of visibility. * Each phishing host just silently proxies the attack to a central phishing server to ease data collection. * DNS resolution of those URLs changes several times an hour. * Rock phish events target dozens of brands at once. * Rock phish URLs have a characteristics structure to them (too complex to described here). The Rock phish kit is not publicly available, does not appear to be in use by anyone else (although some basic copycats are emerging), and has a scale far beyond any other phishing schemes. Its not to say that people havent been investigating, the data is just limited and peeling back the layers is tough. [snip] More: http://asert.arbornetworks.com/2007/04/peeling-the-covers-off-of-rock/ - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.0 (Build 214) wj8DBQFGFrWrq1pz9mNUZTMRArZmAKDwcBnHdw9TVwvrLCS53H6avZXOXQCfRMkc h8smaZXoGyO47Es3S2ddjfQ= =Z0zF -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Phishing: Peeling The Covers Off of Rock Fergie (Apr 06)