Phishing Kits Classified
Posted by Gunter Ollmann on June 06, 2007 at 12:03 AM EDT.

Phishing attacks have evolved quite a bit over the last few years.  When I wrote my first whitepaper on the subject back in 2004 – ‘The Phishing Guide’ – the vectors for attack were already numerous, and since then many more vectors have appeared.  Starting with a “Ph…” or possibly ending with a “…ishing”, these related threats are running rampant and are a concern for both business and home users alike. 

If you’re not concerned about the phishing threat, then you probably don’t use email and don’t browse the Internet – in fact you’re probably only reading this blog entry because someone else printed it off for you.

That aside, whenever possible, I try to keep abreast of the latest advances in Phishing – particularly the “classic” email initiated variety – and have been keeping a keen eye upon the evolution of ‘Phishing Kits’.

For those of you that don’t know what a Phishing Kit is, think in terms of a popular DIY virus creation toolkit from the late 1990’s that now allows a non-technical attacker to rapidly deploy multiple phishing websites (with multiple DNS host entries for virtual hosts) upon a single host.  Requiring only a small installation footprint, and capable of being deployed with off-the-shelf botnet agents , these phishing kits serve up multiple fake banking websites from around the world on a single compromised host.

I think the first phishing kit to gain notoriety was the “Rock Phish” kit which reared its ugly head around the tail end of 2005 – and was named after the kits usage of the word “rock” in the phishing URL’s it served up.  Later versions shrunk “rock” down to “r”, and todays there’s no visible link to the kits origins (yet another example of the thrust and parry between attackers and defenders).

No doubt you’ve all read about the huge increases in new phishing web sites over the recent months.  Certainly the last report (April) from the Anti-phishing Work Group (APWG) shows a rather colorful graph of these monthly increases.

The Real Use of Phishing Kits

The X-Force research guru’s over in Kassel (Germany) who are responsible for ISS’s content filtering technologies and are always elbow deep in the analysis of Spam emails and crawling the Web, keep a constant vigil for new phishing sites and related trends (mind you, that is one of the reasons our customers employ their advanced technology!).

Anyhow, on a regular basis we all meet to discuss the highs and lows of what’s happening in the Phishing world.  Just the other week, the guru’s brought online some new analytical engines to help classify the thousands of phishing web sites they identify each week – and which can now positively identify sites which run a phishing kit.

This is pretty exciting news to me.  Whilst the stories of month-on-month exponential increases in phishing attack sites make for a compelling news headline, I’ve always felt that the numbers were overly inflated and did not adequately reflect the true nature of this evolving threat.

X-Force Analysis of Phishing Attacks

So, let’s have a look at the latest figures for last week (week ending 9:00am Monday -- and no, I don't know why the week is measured this way).  First of all, let me just clarify that last week was a ‘slow’ week with a lowly total of 3,544 new phishing web sites identified.  When I say ‘slow’ – it’s all relative – some weeks earlier this year had more than five times this amount.

Upon diving a little deeper – and making use of the Kassel teams latest classification advancements – we see that 3,256 of those phishing web sites were actually associated with Phishing Kits.  That means that 92 percent of last week’s new phishing web sites were in fact kit-based!

But that’s not the end of it.  Going deeper still, we see that those phishing kit sites tied back to 100 registered domains (compared to the 288 non-kit phishing websites that made use of 276 registered domains).  The majority of these domains (44 percent) were registered with ccTLD’s (country code Top Level Domains) of .HK (Hong Kong).

What does this mean?  Even though this data only corresponds to a single weeks worth of phishing attacks, we can clearly see that the use of phishing kits (with their multiple sites hosted on a single server) greatly inflates the total number of phishing sites that are commonly reported each week, and that this number does not adequately correlate to the number of hosts that are actually involved in a phishing scam. 

This differentiation between hosts that are running phishing kits and those that aren’t is pretty important.  In my mind it’s analogous to classic network hack attempts and whether you count the number of attack probes detected, or you count the number of attackers actually launching the probes.  There is a big difference between observing twice as many attacks and having twice as many attackers targeting your organization – the later actually has importance in the way you should be responding to the threat.

...expect more analysis to come from the X-Force guru's in Kassel in the future.

    Copyright 2001-2007 © Gunter Ollmann