Between a rock and a hard place

Person standing between two rocks Cybercriminals are now adopting IT best practices to facilitate online fraud so says John LaCour.

Electronic crime continues to be a growing menace to society. In particular, an increasingly popular type of online fraud is phishing. In this type of scam people are tricked into divulging sensitive personal and account information that is then used to steal funds or perform other malicious activities.

Not only do statistics show a continued increase in phishing attacks, but these scams are becoming more elaborate and therefore more difficult to defeat. Ironically, the success of these scams relies on many of the information technology best practices that legitimate companies use to ensure business continuity. In fact some phishers are even using these same IT best practices to improve the success of their online scams and possible mitigation strategies.

Phishing is an online scam in which people are lured to fraudulent websites, mostly by authentic looking emails, and asked to divulge personal information such as their user names, passwords, account numbers, addresses, PIN numbers, and so on.

The phisher, or modern con artist, then uses this information to appropriate the victim's identity and withdraw money from his or her bank account, run fraudulent online auctions, apply for credit cards, obtain loans, launder money, and engage in a variety of other illegal online activities.

While these schemes are focused on individual consumers, the institutions that phishers are impersonating are also victims: their brand and hard-earned reputation is impugned. Banks are the most common targets of phishing attacks, but more and more, such attacks are being carried out against all types of organisations including auction sites, payment sites, social networking sites, online brokerages, gambling websites, and online merchants.

This form of fraud has become an unfortunate and thriving economic reality. The number of unique phishing web sites detected by the Anti-Phishing Working Group rose to 55,643 in April 2007, a massive jump from March's 20,871.

A more accurate measurement of phishers' activities is the number of corporate brands attacked. According to research by MarkMonitor, as reported in the Summer 2007 Brandjacking Index, the number of brands phished each month reached an all-time high of 240 in May 2007.

In a typical phishing attack, the perpetrator sends out enormous amounts of unsolicited email including links to fraudulent websites that are under the control of the attackers.   The links point to web pages that imitate the institution being targeted but are usually placed on a legitimate website server that has been compromised by the attacker.

In this scenario the success of the fraudster is dependent upon their ability to successfully deliver phishing emails, compromise a web server, and establish fake web pages on the compromised server.

Today, companies specialising in anti-phishing operations are often able to quickly mitigate such attacks by rapidly providing website addresses to anti-spam companies and by contacting web hosting providers or the legitimate website owner to have the offending web pages removed. As a result, many phishers have turned to new tactics to improve the effectiveness of their scams.

With the pervasiveness of distributed information systems, IT professionals have adopted a variety of best practices designed to improve the security and availability of information systems. These commonly accepted system design guidelines include goals such as:

  • Avoiding single points of failure
  • Geographic diversity of systems
  • Back-up resources or systems
  • Attack resiliency
  • Automation to avoid the chance of human error
  • Architecture utilising best-of-breed components

Unfortunately, cyber criminals are increasingly turning to these tactics in the design of their phishing scams. Most notably, for the past two years, a group known as the 'rock' phish gang has been using these methods to steal what is believed to be hundreds of millions of pounds from banks around the world. 

The rock gang get their name from the fact that the word 'rock' was previously used within the URL of their scams. They no longer following this convention, but continue using their relatively advanced phishing techniques to commit crime online.  In fact, Rock and their copy-cats have built an elaborate multi-tiered architecture composed of several unique layers to enable their phishing scams.

These phishers often use a multi-tiered architecture composed primarily of three main components:

  • A bot network used to facilitate sending phishing emails
  • Distributed DNS servers to provide name-to-IP service for phishing URLs
  • HTTP proxy network used to provide secured access to a the network of the phishing site web server(s)

The bot network is a group of compromised consumer PCs that are remotely controlled by the phishers. By using these systems to send out their emails, the phishers benefit from the geographic diversity of the systems and the remain resilient to attack due to the difficulty of contacting end-users who are most likely unable to isolate and remove malware from their systems. Additionally, the bots add a layer of indirection making it more difficult to track the phishers themselves.

Another tactic is to send phishing emails that  use multiple sub-domain names across multiple URLs. For example, for the first half of 2007, the Rock gang used over 1300 domain names and over 28000 unique URLs. 

http://money.session-0069756.bank.com.userport.ch/forms/  
http://money.session-007976436.bank.com.userport.ch/forms/
http://money.session-01125131.bank.com.farmville.tv/forms/
http://money.session-011823874.bank.com.farmville.tv/forms/
http://money.session-01302225.bank.com.farmville.tv/forms/
Example of URLs used by Phishers

The attackers use this technique to bypass blacklisting technology that may be used by anti-spam vendors and web browser vendors. DNS is configured using a wildcard record so that any sub-domain will work. For example, the configuration for the 'userport.ch' domain is as follows:  

*.userport.ch IN  A  100.1.1.2
   IN A 120.2.3.4
   IN A 12.4.5.6
   IN A 149.7.8.9

By using the configuration above, any hostname or sub-domain under 'userport.ch' will resolve to the list of IP addresses provided. Using a pool of IP addresses provides geographic diversity since the IP addresses listed are typically located in several different countries. 

Also, should one IP address become unavailable due to the removal of the installed malware, the remainder will continue to be used and function as proxies to the phishing site and an additional, previously unadvertised, member of the botnet will be added to the pool. This is one of the ways that the attackers are using back-up resources and improving system availability.

A forensic examination of a system running DNS on behalf of the phishers has shown that automated programs are used to configure and update the name server software. This limits human error on behalf of the phishers and also ensures that DNS points to compromised PCs that are still accessible as proxies to the phish sites.

The third main layer in the phishers architecture is the use of HTTP proxies. In the case of Rock phishers, the proxy software is actually botnet malware which simply relays HTTP connections to the phishing websites. Typically, the bots are configured to route to back-end web servers based on the URL path.

anydomain.userport.ch/path1 directs users to a phish site for bank-1
anydomain.userport.ch/path2 directs users to a phish site for bank-2

This enables the phishers to use the stolen resources effectively and essentially run scams against several targets over the same infrastructure at once.

The use of proxies provides additional benefits to the phishers besides the ability to target several banks at once. These same benefits are typically the motivation for using application proxies by IT. Application proxies are a common type of high security firewall. They ensure that the application itself is not directly exposed to would-be attackers, in this case those who would like to shutdown the phishing site.    

The result of these tactics is that phishing websites stay alive much longer. According to research by Dr Richard Clayton, a computer security researcher at Cambridge University, phish sites by the rock gang using these tactics stay alive 61 per cent longer on average, sometimes as long as three weeks.

The effectiveness of these new phishing tactics has caused a number of banks to outsource their phishing shut down activities to security companies that are adept at tracking the complexity of these networks and dealing with these new tactics. 

As we've seen before, IT technology and practices can be used for good or evil. Now phishers are using high availability and security techniques to improve the efficiency of their scams.

The recent report published by the House of Lords Science and Technology Committee on Internet Security recognises that e-crimes like those perpetrated by the Rock gang are expanding rapidly and require banks to do more to promote personal internet security. It's time for industry to revamp their anti-ecrime initiatives to respond to this evolving threat.

About the Author

John LaCour is the director of AntiPhishing Solutions for MarkMonitor a company specialising in online brand protection. He is a Certified Information Security Systems Professional and is active in the security research community. 

November 2007

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.