RE: [gnso-ff-pdp-may08] Rock Phish Invests in Technology Upgrade

["Mike Rodenbaugh" <icann@xxxxxxxxxxxxxx>]

Maybe the Rock group really were domain tasting, and didn't want to pay the
$.25 to ICANN for each domain?  The volume dropped 50% the month that fee
kicked in...

(Just kidding...)

-----Original Message-----
From: owner-gnso-ff-pdp-may08@xxxxxxxxx
[mailto:owner-gnso-ff-pdp-may08@xxxxxxxxx] On Behalf Of Diaz, Paul
Sent: Monday, September 08, 2008 6:26 AM
To: Fast Flux Workgroup
Subject: [gnso-ff-pdp-may08] Rock Phish Invests in Technology Upgrade


FYI - more FF-enabled phishing attacks expected

Phishing Drops as Rock Phish Invests in Technology Updgrade (SC
Magazine, 090508)
By Dan Kaplan
http://www.scmagazineus.com/Phishing-drops-as-Rock-Phish-invests-in-tech
nology-updgrade/article/116332/

A plummet in the number of phishing emails between spring and summer
appears related to a major crime group's decision to upgrade its botnet
infrastructure, new research from RSA revealed on Friday.

The notorious Rock Phish group, believed responsible for at least half
of all phishes, has spent the last several months transitioning from a
legacy botnet to the Asprox botnet, Sean Brady, product marketing
manager at RSA, told SCMagazineUS.com.

The move will help the criminal syndicate distribute phishing emails
faster and more frequently, while being more difficult to detect, he
said.

"Like any business that upgrades its IT infrastructure, we would believe
the Rock Phish group would think they're better prepared for the
future," Brady said.  "We would not be surprised if we saw phishing
levels return to where they were in the spring or early summer."

According to phishing clearinghouse PhishTank, the number of valid
phishes in July was 8,090, a considerable drop-off from 11,706 in May
and 16,527 in April.

The Asprox botnet, traditionally leveraged to scan for websites
vulnerable to SQL injection and infect users' machines with trojans, is
now potentially being used by Rock Phish to distribute its attacks,
Brady said.

"Leveraging the Asprox botnet and hosting your attacks from that botnet
means that's it's essentially self-fueling," he said.  "You can create a
larger botnet in a shorter period of time and therefore launch wider
attacks."

Asprox also comes outfitted with more advanced fast-flux networks, used
to hide phishing sites and IP addresses behind a constantly changing
series of botnet nodes that act as proxies, Brady said.

"They all run cover for the real system that is hosting the phishing
attack," he said.

Dave Jevans, chairman of the Anti-Phishing Working Group, a phishing
resource organization, said he has noticed a steep decline in phishing
emails, but now Rock Phish appears back.

A number of European banks and at least one major U.S. bank are being
actively targeted in phishing campaigns, he said.

But it is doubtful Rock Phish, believed to be based in St. Petersburg,
Russia, took a major financial hit during the downtime, Jevans said.

"You don't need to be constantly harvesting credentials," he said.
"There are more stolen passwords out there than have ever been used."

Brady said the time off shows Rock Phish is being run like a legitimate
corporation.

"They have profit concerns, margin concerns and now obviously IT
infrastructure concerns," he said.