Feeds

Botnets trawl for phishing victims

Phishing fleets tightly controlled - CipherTrust

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A small number of zombie networks are responsible for all Internet phishing attacks worldwide, according to CipherTrust, the messaging security appliance firm.

An analysis of messages sent to users of CipherTrust's IronMail security appliance found that less than one per cent of email messages during the first two weeks of October were phishing attacks. Dmitri Alperovitch, the research engineer at CipherTrust who carried out the analysis, reckons the phishing expeditions it spotted were launched from no more than five different networks of compromised zombie PCs, each approximately 1,000 strong.

The number of compromised machines linked to phishing expeditions is dwarfed by those engaged in spamming, which run into the tens of thousands a day. Seven in 10 of the compromised machines CipherTrust spotted distributing phishing emails were also used to send spam. CipherTrust was able to discern clear patterns in the barrage of spam and fraudulent emails spewed out from cracker-controlled machines which lead it to conclude that a limited number of zombie networks are used to send phishing emails.

"We don't know who’s sending these phishing email or buying access to these compromised machines. But we can say that a group emails together and say that the same type of spam and phishing attack is coming from a group of machines," Alperovitch told El Reg. "A different 1,000 IP addresses every day are used but the size of swarms and their numbers remains consistent. Conservatively we'd put this number at less than five, we can't be more precise than that." Alperovitch said CipherTrust is talking to federal law enforcement agencies about its findings.

CipherTrust gathered its data by detecting the senders' Internet Protocol (IP) addresses on confirmed phishing attacks and then relating those addresses to CipherTrust's TrustedSource reputation system. CipherTrust's TrustedSource is designed to "provide precise information about sender behaviour across hundreds of thousands of IP addresses for the purpose of tracking message legitimacy and using that information to determine the intent of email senders".

Simon Dawson, head of corporate investigations at the Risk Advisory Group, which helped the UK banking industry launch an anti-phishing website last month, said it was hard to know of the number of zombie networks out there - much less than who is controlling them. "This kind of information only tends to come out through criminal prosecutions," he said.

botnets

Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to malware authors, who sell access to the networks of compromised, zombie machines (or botnets) to other low lifes. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass traditional IP address blacklists. The fraudsters behind phishing attacks employ the same trick.

Around one in three (32 per cent) of the zombies linked to phishing by CipherTrust are based in the US. The second largest number of compromised PCs, 16 per cent, were located in South Korea. The remaining 52 per cent of phishing zombies were spread across 98 countries.

CipherTrust's phishing analysis discovered that 46 per cent of the phishing attacks used the Citibank brand to entice victims to share financial and personal information. The remaining 54 per cent of attacks were split among twelve other well-known brands across the financial and online retail industries. CipherTrust also found some evidence that the conmen behind phishing scams are targeting their attacks, at least geographically. Lloyds TSB phishing emails were sent almost exclusively to email users located in Europe, where the company is based, CipherTrust reports. ®

Related stories

UK banks launch anti-phishing website
P-cube goes hunting for zombie PCs
Rise of the Botnets
Telenor takes down 'massive' botnet
The illicit trade in compromised PCs

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.