how-to block ads
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to nwrickert
What's a rock phish anyway?
The rock phish is a particular style of phish that is difficult to deal with. Recent phish for Fifth Third Bank are all of this form, as are some of the Bank of America phish and some eTrade phish.
The phish url for a rock phish is sent in only one email message. For example, one of today's collection (phish #7559) uses
http://www.53.com.portal.busid8623879.cifio.net/cbdir
as the url. As you can see, the hostname includes a numeric component. The phisher modifies this number for each copy of the email sent, resulting in unique links.
With this practice, the phisher avoids phish filters such as that on IE7. These phish filters use a database check to see if the phish url has already been reported. But since you are the only one receiving this url, nobody else will have reported it. Perhaps these filters should also be checking the IP address of the phish site, since phishers use only a relatively small number of IP addresses but a large number of hostnames.
The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish.
To create this kind of phish, the phisher registers a new domain. My guess is that it is registered from a hijacked computer, and paid for with a stolen credit card number. The phisher sets up DNS for the new domain, thus creating DNS entries for his multiple phish domain names. In the case of the sample url given above, that domain is "cifio.net". Perhaps if phish filters were to check just the base part of the domain name, that would be another way they could detect and flag a domain as a rock phish domain. | |
alien8
join:2004-03-03
UK
| said by nwrickert  :The rock phish email typically contains the url link attached to an image. Since most of the text of the phish email is in the image, this makes it difficult for heuristic mail filters to recognize this as a phish Difficult, yep... but there are things "wrong" with how the phish emails are produced... that I'm not going to go into... but can be used to detect that it's a rock phish email.
Look on the stats page for items labelled "Rock", showing that it can be detected... certainly using ClamAV:
»sanesecurity.com/clamav/stats.htm
Cheers,
Steve
--
Tired of spam? Grab www.spampal.org | |
SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
 ·Comcast Formerly ..
Host:
Networking
Virtual Private Ne..
Netgear
ZyXEL
| reply to nwrickert
said by nwrickert : The rock phish is a particular style of phish that is difficult to deal with. ...With this practice, the phisher avoids phish filters such as that on IE7. These phish filters use a database check to see if the phish url has already been reported. I believe that IE7 also uses some primitive heuristics to flag "suspected" phish sites (orange address bar).
How hard can it really be??
A Rock phish URL is more probable...
•The longer the host name is.
• if the host name contains more than 2-3 periods.
• if substring ".com" is not followed by "/" (not at end of host name).
• (Matches above rules and contains typical phish fragments ("paypal", ".53.", "bbt", etc.)) ... probably not even needed.
• etc.
How many legitimate sites would produce a false positive in this test? Really?  | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| I believe that IE7 also uses some primitive heuristics to flag "suspected" phish sites (orange address bar). That matches my experience. Yet I just brought up the phish page for phish #11054, and IE7 didn't flag it, nor suggest that it could be a phish. I do have IE7 configured to check.
How hard can it really be? I would not have thought it particularly hard. But then I'm not a Microsoft designer or programmer, so what would I know?
In addition to the indicators you mention, the presence of a form with a password (masked input) on the page should be one of the hints.
The trouble with heuristics, is that to change them you have to release a new version of IE7 and persuade people to update to it. As long as IE7 is mostly relying on contacting an online database, the better approach would be to modify the database lookup strategy. For some kinds of phish, they should block all urls that use a particular domain name. That would take care of rockphish.
The database backend could use heuristics to identify rockphish. If a phish uses a domain name that was registered very recently, the chances are that the domain name was registered with the intent of phishing. The presence of a wildcard A or CNAME record in DNS further increases the likelihood that this is a phishing domain. All urls for such a domain should be flagged as probable phish, unless some human intervention overrides this.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
|
