Phishing on the Fly  
Posted by Gunter Ollmann on September 17, 2007 at 11:13 AM EDT.

There must have been something in the water somewhere, because it looks like last week was an exceptionally active week for the Phishers - in fact the busiest ever.  In the period running 10th through to the 17th September our anti-spam gurus over in Kassel identified 453,932 new phishing hosts – with all but 184 of them associated with now-standard phishing kit distribution techniques (that’s 99.96 percent dominance by the kits).

Perhaps the phishers have had to “up their game” in the face of all the spam and malicious activity currently associated with the Storm Worm, or their kits are just getting better.  My speculation is that both the kits that are improving and their email distribution systems are getting more efficient at spamming the world with faked banking notifications.

A Tangled Web

An obvious question is whether those 453,748 phishing-kit hosts can be mapped directly to individual phishing Web sites.  Unfortunately there isn’t really a one-to-one mapping between the hosts identified through our Kassel email monitoring systems and physical Web sites.  Due to factors such as distributed botnet hosting, fast-flux DNS, dynamic domain registration and virtualized hosting environments, you often end up with a spiders web of dependencies and a high probability of you ending up at a different Web site each time you request the same URL.

If we look at the actual domain registrations associated with these kit-based hosts, last week there were 477 new domain registrations – which means that there were an average of 1,000 phishing sites associated with each domain registration.  Actually, given the fact that our Kassel team doesn’t inspect every single email message on the planet, you can pretty much guarantee that the numbers in reality are much much greater.

As with the trend of the last few weeks, customers of Citizens Bank have been the most targeted – with over 95 percent of last week’s attacks directed at them.  Two other prominent banks were targeted – the Royal Bank of Scotland and BankcorpSouth.  In any “ordinary” week I’d have said that they heavily targeted, but given the tremendous volume of last week they’re actually pretty hard to spot in the reams of data.

Automated Domain Registration

One of the other very interesting things to be uncovered in last week’s massive escalation of phishing hosts is the notable increase in sequential (or cyclical) domain registrations. 

Throughout most of this year there have been a few instances, but last week really saw things escalate.  For example, check out the following domain names that were used in last week’s attacks:


You’ll notice the very obvious naming trends.  This is most likely due to even more automation on the Phishers side and the latest advancements of their phishing-kits.  With a “just-in-time” domain registration, the phishers can quickly launch their attacks and (perhaps more importantly) automatically replace domain registrations that get taken down by the authorities.

A closer inspection of last week’s domain registrations that use this newer sequential registration method appear to correlate well with the massive increase on the number of phishing hosts being identified.  For example, the hundred-odd domain names following the pattern through to or to

Was last week some kind of aberration or a major evolution of automated phishing attacks? We’ll be monitoring this situation closely.  Let’s hope it was the former.

    Copyright 2001-2007 © Gunter Ollmann