Feeds

Botnets trawl for phishing victims

Phishing fleets tightly controlled - CipherTrust

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

A small number of zombie networks are responsible for all Internet phishing attacks worldwide, according to CipherTrust, the messaging security appliance firm.

An analysis of messages sent to users of CipherTrust's IronMail security appliance found that less than one per cent of email messages during the first two weeks of October were phishing attacks. Dmitri Alperovitch, the research engineer at CipherTrust who carried out the analysis, reckons the phishing expeditions it spotted were launched from no more than five different networks of compromised zombie PCs, each approximately 1,000 strong.

The number of compromised machines linked to phishing expeditions is dwarfed by those engaged in spamming, which run into the tens of thousands a day. Seven in 10 of the compromised machines CipherTrust spotted distributing phishing emails were also used to send spam. CipherTrust was able to discern clear patterns in the barrage of spam and fraudulent emails spewed out from cracker-controlled machines which lead it to conclude that a limited number of zombie networks are used to send phishing emails.

"We don't know who’s sending these phishing email or buying access to these compromised machines. But we can say that a group emails together and say that the same type of spam and phishing attack is coming from a group of machines," Alperovitch told El Reg. "A different 1,000 IP addresses every day are used but the size of swarms and their numbers remains consistent. Conservatively we'd put this number at less than five, we can't be more precise than that." Alperovitch said CipherTrust is talking to federal law enforcement agencies about its findings.

CipherTrust gathered its data by detecting the senders' Internet Protocol (IP) addresses on confirmed phishing attacks and then relating those addresses to CipherTrust's TrustedSource reputation system. CipherTrust's TrustedSource is designed to "provide precise information about sender behaviour across hundreds of thousands of IP addresses for the purpose of tracking message legitimacy and using that information to determine the intent of email senders".

Simon Dawson, head of corporate investigations at the Risk Advisory Group, which helped the UK banking industry launch an anti-phishing website last month, said it was hard to know of the number of zombie networks out there - much less than who is controlling them. "This kind of information only tends to come out through criminal prosecutions," he said.

botnets

Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to malware authors, who sell access to the networks of compromised, zombie machines (or botnets) to other low lifes. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass traditional IP address blacklists. The fraudsters behind phishing attacks employ the same trick.

Around one in three (32 per cent) of the zombies linked to phishing by CipherTrust are based in the US. The second largest number of compromised PCs, 16 per cent, were located in South Korea. The remaining 52 per cent of phishing zombies were spread across 98 countries.

CipherTrust's phishing analysis discovered that 46 per cent of the phishing attacks used the Citibank brand to entice victims to share financial and personal information. The remaining 54 per cent of attacks were split among twelve other well-known brands across the financial and online retail industries. CipherTrust also found some evidence that the conmen behind phishing scams are targeting their attacks, at least geographically. Lloyds TSB phishing emails were sent almost exclusively to email users located in Europe, where the company is based, CipherTrust reports. ®

Related stories

UK banks launch anti-phishing website
P-cube goes hunting for zombie PCs
Rise of the Botnets
Telenor takes down 'massive' botnet
The illicit trade in compromised PCs

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.