Phishing under the Microscope
Posted by Gunter Ollmann on July 11, 2007 at 5:58 AM EDT.

When discussing phishing, most people I meet are only all-too familiar with the spam-based email flooding their inbox and the cloned websites waiting out there to suck down their banking credentials and steal their identity.  But many of them have no inkling as to the mechanics and logistical challenges behind the attack.

In recent weeks you’ll have read some postings from me about phishing statistics and the use of kits to deploy an attack.  What I’d like to do now is shed a little more light on the way in which professional phishing gangs organize their attacks.

The thing to remember is that professional phishing is a business.  There are gangs out there whose sole occupation is to catch-out the small percentage of people who fall victim to their electronic deception and fraud tactics.  But you should also recognize that phishing is only one section on an organized crime conveyor-belt.

Phishing Mechanics

Lets take a step-by-step look at the mechanics behind many of the more voluminous  phishing attacks conducted by “the professionals” in recent times.  If it sounds like a recipe from a cookbook, that’s because it is – crime can also follow a copy-paste strategy.

  1. Acquire some credit card credentials.  In this step, the phishing gang acquires some stolen credit card details – complete with the original card owner’s details.  The card details may have been purchased in bulk from any of the underground credit card sales sites, or come through details acquired from previous phishing scams by the same gang.  Alternatively, the phishing gang may have links with other “physical” criminal groups that provide skimming services.
  2. Create email addresses.  Here, the phishing gang creates sets of online credentials and email addresses similar to those of the stolen credit cards.
  3. Prepare hosting details. The phishers begin to set up the critical components  of their upcoming attack. 
    a. Using the stolen credit cards they sign-up with various questionable cowboy Internet hosting providers for the purpose of deploying the key phish sites (aka the “motherships”) and authoritative DNS servers.
    b. Using the stolen identities of the credit card owners, the phishers begin to register multiple domain names with various Registrars – often preferring domains  ccTLD’s (such as .hk and .cc) – providing the original card owners contact details and the newly created email address as contact details for WHOIS.
    c. Once the domains are registered, the phishers make the rented DNS servers authoritative for all the domains.
  4. Link to a botnet. The phishing gang then link to (or create) a small botnet (of the order 10-30 IP hosts).  These bot-agents are configured to proxy TCP port 80 traffic to the recently created mothership Web sites, and to also act as mail relays.
  5. Wildcard DNS setup.  In this step, the phishing gang configures the DNS name servers A-records to point to each of the botnet Web proxies (via round-robin allocation).  The configuration also includes wildcard name resolution.
  6. Distribute the phishing email. Having completed the ground work in setting up the resilient hosting framework, the phishing gang then proceeds to send their enticing phishing email (via the bot-agents) – making use of the newly registered domain and sub-domains.

Armed with this operational environment, the phishers can rapidly add additional bot-agents (or pick another botnet entirely) in whac-a-mole fashion as law enforcement shuts down each compromised host.  If one of the registered domains are successfully taken-down, the phishers merely use one of the others that are still up and proceeds to register a few more.

It’s probably worth noting that one of the ways in which we can identify one phishing gang from another is from the botnet proxies they use.  For example, discerning attacks conducted by the “Rock Phish” gang from numerous phishy clones and copy-cats.

Growth of Fast-flux

“Fast-flux” is a term that sprung up in early 2006 to encompass the evolution of the rapidly changing DNS resolution services used by the phishing gangs.  With Fast-flux hosting, the DNS servers not only round-robin cycle through a list of A-records and NS-records, but they also assign very low TTL’s to the records (typically sub-five minutes) – which redirect to their proxy bot-agents. 

This rapid cycling of DNS records means that the loss of a few hosts from the botnet doesn’t really result in much downtime in the Phishers attack.

Taking down a Phishing Net

As you can probably see, taking down a phishing Web site is not as easy as many people think it is.  The phishers have taken great care to build a resilient and scalable framework for their attacks.

The key to taking down a “Phishing Net” really revolves around the closure of the DNS resolution services because, once shut down, the potential victims that received their phishing email can then no longer find out the IP address of the fake Web site and therefore cannot be fooled into disclosing their confidential or personal information.

In order to takedown a phishing domain that is using this arrangement of DNS resolution services or Fast-flux configuration, it requires an organization to work closely with the registrar to erase the glue records of the name servers and to change the status of the domain (if an EPP domain) to “Client Hold” or “Client Update Prohibited” (or equivalent).  If this is not done after erasing the glue records, the phishers system will automatically change to a new address without intervention from the registrar, and the takedown will fail.

It’s probably also worth noting that, from an internal corporate perspective, a lot of these automated phishing URL’s (that make use of the wildcard DNS for long host name resolution) can be trivially stopped just by enabling a filtering rule that limits the length of the host name within the URL to no more than four or five levels.  For example would be OK, but wouldn’t be.

    Copyright 2001-2007 © Gunter Ollmann