NOW READ THIS
("Security Advisory")
Submitted by: Bill Hickey
NCVA List Master
NRT-0487 New Phishing Technique:
Industry researchers have found a new phishing technique that uses elements of a malware attack to
steal personal information. The technique was used in a series of operations by the Rock Phish group -
a phishing gang believed to be based in Russia that has targeted financial institutions since 2004.
A report states that Rock Phish operations have stolen tens of millions of dollars from bank
accounts. Victims of these opaerations typically have their personal data stolen and their
machine infected by the Jeus Trojan.
The Rock Phish group has pioneered several new approaches in phishing. In 2004, it was the
first group to employ botnets in its phishing infrastructure, which allowed for longer duration,
more scalable attacks, and new techniques in evading spam filters.
The latest tactic dupes the victim into going to a phishing site, where the victim is infected with
the Jeus Trojan. The Trojan, which is masked, takes screen shots, takes control of the victim's
machine, and steals passwords, according to the report.
(zdnet.com 21APR08)
A recent surge in phishing is the handiwork of Rock Phish, a small, shadowy cyber gang. Zulfikar Ramzan,
senior principal researcher at Symantec's Security Response Group says this group of technically savvy
hackers who oversee phishing web sites and provide phishing tools on the internet is "the major driving
force behind a worsening situation, and they are difficult to track down." Rock Phish attacks employ web
addresses containing the names of real businesses, such as Bank of America, that are interspersed with
random numbers. The addresses appear authentic and are difficult to detect by anti-phishing defenses,
said Paul Wood, a senior analyst at email security firm MessageLabs. A common Rock Phish tactic is to
register new phishing addresses in rarely used country domains, such as Moldova (.md) and Sao Tome and
Principe (.st). Before the bogus domain names are detected and removed, so-called Rock Phishers have
already duped people and stolen their personal information, which is collected and funneled to a central
computer server, Wood says.
So far, the criminal enterprise has victimized customers of US and European financial institutions,
such as Citibank and Barclays, as well as popular phishing targets eBay and PayPal, said Dan Hubbard,
senior director of security and technology research at security firm Websense.
The gang is also targeting the commercial accounts of small and large businesses, said Fred Felman, chief
marketing officer at security company MarkMonitor, who estimates that 77% of all active phishing sites are
linked to Rock Phish and its methods.
Rock Phish got its name because of its use of the word "rock" in the web addresses of phishing web sites,
according to an article. It is believed to be in Eastern Europe, based on the widespread availability of
its phishing tools on web sites hosted in that region.