Rock Phish is both a phishing toolkit and the entity that publishes the toolkit. Phishing is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.
While the authors of the kit remain anonymous, Rock Phish has become the most popular phishing kit available online, with some estimates suggesting that the kit is used for half of all phishing attempts.
The Rock Phish toolkit first surfaced in the hacking community in 2004. Rock Phish is known for pioneering the use of image spam. It has also proven particularly adept at evading the adaptive security measures taken by networking professionals, earning the group grudging respect for their ability to stay on the cutting edge of technology -- and out of the hands of law enforcement. Gartner, the information technology research and advisory firm, has described Rock Phish as the "Keyser Söze" of the phishing world, a reference to the mysterious character in the 1995 film "The Usual Suspects." Many law enforcement officials believe Rock Phish is not an individual, but rather a sophisticated group of criminals tied to organized crime.
How does Rock Phish work?
The Rock Phish toolkit enables non-technical users to easily create and implement phishing attacks. The kit works by configuring a single Web server as a host, with multiple domain name servers (DNSes) to host a variety of templates, each one of which closely resembles a different legitimate bank or business venture. Attackers can then launch multiple phishing attacks from the host, fooling customers and clients into responding to the professional, legimate-looking email and entering their personal or financial data into the phisher's trap. Once harvested, credit card and banking information is channeled into a central server, the "Mother Ship," and sold through chat rooms to a dispersed network of money launderers that extract money from phishing victims' accounts.
Unfortunately, Rock Phish has made a practice of using unique URLs once and then abandoning them, a technique that makes it quite difficult for anti-phishing measures integrated into modern Web browsers (like Firefox 2.0 or Internet Explorer 7.0) or anti-spyware software to successfully identify and alert users to the false nature of the phishing sites. Rock Phish has also stayed away from the two most popular phishing targets, eBay and PayPal, focusing instead on more than 44 different European and U.S. financial institutions, including Barclays, Citibank, Deutsche Bank, and E-Trade, among others. Rock Phish has also used domain names in countries with limited online law enforcement.