Feeds

Botnets trawl for phishing victims

Phishing fleets tightly controlled - CipherTrust

  • alert
  • submit to reddit

SANS - Survey on application security programs

A small number of zombie networks are responsible for all Internet phishing attacks worldwide, according to CipherTrust, the messaging security appliance firm.

An analysis of messages sent to users of CipherTrust's IronMail security appliance found that less than one per cent of email messages during the first two weeks of October were phishing attacks. Dmitri Alperovitch, the research engineer at CipherTrust who carried out the analysis, reckons the phishing expeditions it spotted were launched from no more than five different networks of compromised zombie PCs, each approximately 1,000 strong.

The number of compromised machines linked to phishing expeditions is dwarfed by those engaged in spamming, which run into the tens of thousands a day. Seven in 10 of the compromised machines CipherTrust spotted distributing phishing emails were also used to send spam. CipherTrust was able to discern clear patterns in the barrage of spam and fraudulent emails spewed out from cracker-controlled machines which lead it to conclude that a limited number of zombie networks are used to send phishing emails.

"We don't know who’s sending these phishing email or buying access to these compromised machines. But we can say that a group emails together and say that the same type of spam and phishing attack is coming from a group of machines," Alperovitch told El Reg. "A different 1,000 IP addresses every day are used but the size of swarms and their numbers remains consistent. Conservatively we'd put this number at less than five, we can't be more precise than that." Alperovitch said CipherTrust is talking to federal law enforcement agencies about its findings.

CipherTrust gathered its data by detecting the senders' Internet Protocol (IP) addresses on confirmed phishing attacks and then relating those addresses to CipherTrust's TrustedSource reputation system. CipherTrust's TrustedSource is designed to "provide precise information about sender behaviour across hundreds of thousands of IP addresses for the purpose of tracking message legitimacy and using that information to determine the intent of email senders".

Simon Dawson, head of corporate investigations at the Risk Advisory Group, which helped the UK banking industry launch an anti-phishing website last month, said it was hard to know of the number of zombie networks out there - much less than who is controlling them. "This kind of information only tends to come out through criminal prosecutions," he said.

botnets

Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to malware authors, who sell access to the networks of compromised, zombie machines (or botnets) to other low lifes. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass traditional IP address blacklists. The fraudsters behind phishing attacks employ the same trick.

Around one in three (32 per cent) of the zombies linked to phishing by CipherTrust are based in the US. The second largest number of compromised PCs, 16 per cent, were located in South Korea. The remaining 52 per cent of phishing zombies were spread across 98 countries.

CipherTrust's phishing analysis discovered that 46 per cent of the phishing attacks used the Citibank brand to entice victims to share financial and personal information. The remaining 54 per cent of attacks were split among twelve other well-known brands across the financial and online retail industries. CipherTrust also found some evidence that the conmen behind phishing scams are targeting their attacks, at least geographically. Lloyds TSB phishing emails were sent almost exclusively to email users located in Europe, where the company is based, CipherTrust reports. ®

Related stories

UK banks launch anti-phishing website
P-cube goes hunting for zombie PCs
Rise of the Botnets
Telenor takes down 'massive' botnet
The illicit trade in compromised PCs

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.