Arbor Networks: Security to the Core

You know you’re doing something right when you get attacked. Shortly after their appearance, specifically their widespread appearance in browsers such as FireFox 2 and Internet Explorer 7, anti-phishing toolbars have come under attack. The attacks are pretty much what you would expect: move quickly to defeat the utility of the information in those blacklists.

The increased number of effective blacklists for phishing sites, such as the ones in Firefox and IE7, has begun to push the phishing criminal community to using very dynamic URLs in an effort to stay ahead of these anti-phishing blacklists. This explosion in variety is a common attack against a static, signature-based approach. AFter all, if you can move faster as a bad guy than the good guys can point you out, then you’re set. That’s sort of what’s going on in the picture below. The phisher here has set up a few phishing sites (for the 5/3 Bank, Barclays, and a few other banks) but he’s using a variety of domain names to drive traffic there.

However, there’s a slight weakness in their approach, at least as the attacks are being used right now. The phishers only have a few websites that they’ve compromised (notice how everything goes to one IP address), and they’re only using a few domains (noticed how evertthing goes to ertyhnkj.org.nz). More importantly, they have to both advertise these sites (with phishing emails) and with DNS (to accommodate site migrations), so they’re easy to track. All of this makes it easy to track them currently, so in almost every day these sites are detected with a good anti-phishing toolbar or, even better, an IP-based blacklist like our ATF phishing policy. In this case, it’s the Rock Phish kit that has mutated recently to using these psuedo-random domain name elements.

Throughout 2007 we’ll continue to see malicious website operators attempt to defeat these blacklists, and they’ll probably gain an upper hand for a while in 2007. How long that advantage will last I can’t say, but we’ll clearly have to respond, and we will. Remember, our biggest advantage over the bad guys is that we, the good guys (at Arbor and elsewhere) have the final say. We can NULL route a malicious host, kill a malicious domain name, and can trace it all back to the attacker.

This entry was posted on Wednesday, December 6th, 2006 at 10:01 am and is filed under Arbor Networks, Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.