Feeds

Botnets trawl for phishing victims

Phishing fleets tightly controlled - CipherTrust

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

A small number of zombie networks are responsible for all Internet phishing attacks worldwide, according to CipherTrust, the messaging security appliance firm.

An analysis of messages sent to users of CipherTrust's IronMail security appliance found that less than one per cent of email messages during the first two weeks of October were phishing attacks. Dmitri Alperovitch, the research engineer at CipherTrust who carried out the analysis, reckons the phishing expeditions it spotted were launched from no more than five different networks of compromised zombie PCs, each approximately 1,000 strong.

The number of compromised machines linked to phishing expeditions is dwarfed by those engaged in spamming, which run into the tens of thousands a day. Seven in 10 of the compromised machines CipherTrust spotted distributing phishing emails were also used to send spam. CipherTrust was able to discern clear patterns in the barrage of spam and fraudulent emails spewed out from cracker-controlled machines which lead it to conclude that a limited number of zombie networks are used to send phishing emails.

"We don't know who’s sending these phishing email or buying access to these compromised machines. But we can say that a group emails together and say that the same type of spam and phishing attack is coming from a group of machines," Alperovitch told El Reg. "A different 1,000 IP addresses every day are used but the size of swarms and their numbers remains consistent. Conservatively we'd put this number at less than five, we can't be more precise than that." Alperovitch said CipherTrust is talking to federal law enforcement agencies about its findings.

CipherTrust gathered its data by detecting the senders' Internet Protocol (IP) addresses on confirmed phishing attacks and then relating those addresses to CipherTrust's TrustedSource reputation system. CipherTrust's TrustedSource is designed to "provide precise information about sender behaviour across hundreds of thousands of IP addresses for the purpose of tracking message legitimacy and using that information to determine the intent of email senders".

Simon Dawson, head of corporate investigations at the Risk Advisory Group, which helped the UK banking industry launch an anti-phishing website last month, said it was hard to know of the number of zombie networks out there - much less than who is controlling them. "This kind of information only tends to come out through criminal prosecutions," he said.

botnets

Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to malware authors, who sell access to the networks of compromised, zombie machines (or botnets) to other low lifes. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass traditional IP address blacklists. The fraudsters behind phishing attacks employ the same trick.

Around one in three (32 per cent) of the zombies linked to phishing by CipherTrust are based in the US. The second largest number of compromised PCs, 16 per cent, were located in South Korea. The remaining 52 per cent of phishing zombies were spread across 98 countries.

CipherTrust's phishing analysis discovered that 46 per cent of the phishing attacks used the Citibank brand to entice victims to share financial and personal information. The remaining 54 per cent of attacks were split among twelve other well-known brands across the financial and online retail industries. CipherTrust also found some evidence that the conmen behind phishing scams are targeting their attacks, at least geographically. Lloyds TSB phishing emails were sent almost exclusively to email users located in Europe, where the company is based, CipherTrust reports. ®

Related stories

UK banks launch anti-phishing website
P-cube goes hunting for zombie PCs
Rise of the Botnets
Telenor takes down 'massive' botnet
The illicit trade in compromised PCs

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.