Rock Phish

While the authors of the kit remain anonymous, Rock Phish has become the most popular phishing kit available online, with some estimates suggesting that the kit is used for half of all phishing attempts.

The Rock Phish toolkit first surfaced in the hacking community in 2004. Rock Phish is known for pioneering the use of image spam. It has also proven particularly adept at evading the adaptive security measures taken by networking professionals, earning the group grudging respect for their ability to stay on the cutting edge of technology -- and out of the hands of law enforcement. Gartner, the information technology research and advisory firm, has described Rock Phish as the "Keyser Söze" of the phishing world, a reference to the mysterious character in the 1995 film "The Usual Suspects." Many law enforcement officials believe Rock Phish is not an individual, but rather a sophisticated group of criminals tied to organized crime.

How does Rock Phish work?

The Rock Phish toolkit enables non-technical users to easily create and implement phishing attacks. The kit works by configuring a single Web server as a host, with multiple domain name servers (DNSes) to host a variety of templates, each one of which closely resembles a different legitimate bank or business venture. Attackers can then launch multiple phishing attacks from the host, fooling customers and clients into responding to the professional, legimate-looking email and entering their personal or financial data into the phisher's trap. Once harvested, credit card and banking information is channeled into a central server, the "Mother Ship," and sold through chat rooms to a dispersed network of money launderers that extract money from phishing victims' accounts.

Watch a video demonstration of Rock Phish in action.

Alert users may identify the phishing kits through a pattern in the Uniform Resource Locator (URL), which will display as:

http:://{www.sampledomainnam.com}/r1/{letter}

The letter after the /r/ directory is the same as the domain name being spoofed, i.e. www.sampledomain.com/r1/c for Citibank. In fact, the group was given the name "Rock Phish" because the URLs on the fake sites created using the kits typically included a distinctive subdirectory named "rock" or /r/, though this identifier has been largely abandoned after filters were updated to search for the term. Rock Phish URLs may also display simply as an IP address, another potential danger sign. Other indicators of phishing activity are sites that use the same PHP scripts over and over again to post content to phishing Web sites or JavaScript hacks that replace a Web browser toolbar or disable keyboard functions like Cut and Paste.

Unfortunately, Rock Phish has made a practice of using unique URLs once and then abandoning them, a technique that makes it quite difficult for anti-phishing measures integrated into modern Web browsers (like Firefox 2.0 or Internet Explorer 7.0) or anti-spyware software to successfully identify and alert users to the false nature of the phishing sites. Rock Phish has also stayed away from the two most popular phishing targets, eBay and PayPal, focusing instead on more than 44 different European and U.S. financial institutions, including Barclays, Citibank, Deutsche Bank, and E-Trade, among others. Rock Phish has also used domain names in countries with limited online law enforcement.

Read more about Rock Phish: - Phishtank.com is an open source anti-phishing community that tracks Rock Phish activity. - F-Secure has created videos of the Rock Phish Kit in action. - Compliance and Privacy published "What is Rock Phish? And why is it important to know?" - Infoworld reports that 'Rock Phish' is responsible for a surge in phishing attacks. - Brian Krebs talks about Rock Phish in his Security Fix blog.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

BROWSE BY TAG Enterprise Data Protection,   Identity Theft and Data Security Breaches,   Malware, Viruses, Trojans and Spyware,   Information Security Threats,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT TJX to pay $9.75 million for data breach investigations The company agrees to pay legal expenses related to investigations conducted by 41 Attorneys Generals and establish a data security fund for states. Man pleads guilty in online banking hacking scam Defendant schemed with others to steal money from online bank accounts using credentials stolen with malware. White House cybersecurity czar faces major hurdles A new cyberczar must reduce interagency squabbles, work with Congress on legislation, but avoid getting bogged down in red tape and bureaucracy,...

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) A bot worm is a self-replicating malware program that resides in current memory, turns infected computers into zombies (or bots) and transmits itself... CISP-PCI  (SearchFinancialSecurity.com) CISP (Cardholder Information Security Program) and PCI (Payment Card Industry Data Security Standard) are specifications developed and used by credit...