The potential damage of massively distributed malware kits is imposing enough, but cyber criminal developers continue to increase their tools’s potency. According to Trend Micro Research Program Manager Ivan Macalintal, these kits are easily modifiable, so they become more powerful as they are passed around the Net. One crafty hacker adds a bit of malicious code and another enhances it until you’re looking at a sophisticated, dangerous piece of code created via collaboration that anyone with minimal training and the desire to cause harm can aim and fire. These collaborative enhancements, zero-day malware kits, and rock-phishing kits are bringing increasingly powerful tools to larger numbers of thieves.
On the other hand, until recently, malware toolkits offered cyber criminals easy access to exploits that had been known for some time. While these still provided effective infection tools against poorly-maintained PCs, users with properly-patched software and updated security software were reasonably immune to the majority of the toolkits routine attack vectors. In late 2007, malware toolkits evolved, putting far more dangerous code in the hands of large numbers of criminals.
Rock Phishing Kits
In August 2007, many consumers began receiving unsolicited emails from the IRS offering a tax refund in exchange for completing an online form. Clicking the link in the email redirected the user to a bogus form designed to steal personal information. On the surface, this is a classic example of the authority phishing model of phishing: an e-Mail from a trusted source requesting information on a spoofed site. Yet a closer examination revealed that cyber criminals created the IRS phishing attempt using a rock-phish toolkit. Much like malware toolkits, rock-phish toolkits provide powerful technology to less sophisticated criminals for a small fee (typically under ). Rock-phishing refers to a practice in which phishers create a succession of different domains hosting the same spoofed sites, keeping ahead of anti-phishing efforts through a rapid-fire series of linked URLs. The IRS example linked to a sequence of 16 different URLs and domains, including the following:
• http://www.{BLOCKED}ton.com/bridge/feedback.php
• http://{BLOCKED}tack.net/catalog/images/awstats/.stats/.secure/.server/.refund/login.html
• http://{BLOCKED}ab.hoseo.ac.kr:8080/Refund.html
• http://www.{BLOCKED}ho.ch/Tcho.chindex/jpg/not.php
• http://www.{BLOCKED}-let-go.net/gallery/include/help.php
Identifying and shutting down 16 URLs for a single phishing attempt slows security companies’ response times significantly. Users and businesses that are dependent on downloading security updates may be caught unprotected for even longer. While the rock-phishing strategy is not new, low-cost toolkits have brought this technology to thousands more criminals, and Trend Micro expects rock-phishing attempts to grow substantially in the coming months.
|
