Fraudsters are using a new technique to keep their spoofed Web sites up and running even as authorities pull the plug, a security expert said this week.
According to RSA Security's Naftali Bennett, the senior vice president of its Cyota anti-fraud division, some phishers have started using a tactic called "smart site redirection" to stay a step ahead of the law.
"The goal of the phisher is to keep his spoofed site alive as long as possible," said Bennett. The longer the site remains active, the more victims a phisher can dupe into divulging confidential information such as bank or credit account usernames, passwords, and PINs.
In a smart site redirection, the attacker creates several identical copies of the spoofed site, each with a different URL, often hosted by different ISPs. When the phishing e-mails go out, all include a link to yet another site, a "central redirector." When the potential victim clicks on the e-mailed link, the redirector checks all the phishing sites, identifies which are still live, and invisibly redirects the user to one.
Clever, said Bennett, but just the latest in what he called a "battle of brains" between phishers and security firms.
"This is a new evolution in their tactics to lengthen the duration of the attack," he said.
Phishers first hosted their spoofed site at only one location, but defenders got wise and would track down the site's Internet service provider and convince it to shut down the illegal URL. "The average duration for a phishing site is still 5 or 6 days," said Bennett, although vendors like Cyota, which monitors developing phishing attacks to warn its clients, can trim that to four hours or so.
Next, phishers took to sending out their link-infested spam in several waves, each wave with a pointer to a different spoofed site. Again, said Bennett, their goal was to stretch out the attack time to maximize returns. "They'd send out, say, 20 million e-mails, but divided into five batches several days apart, each sent to a different site so that there would always be at least one site up and running."
Now, he said, they've turned to the central redirector technique. "They'll still send out their 20 million messages, but they do it all at once, all with the link to the central redirection site. They get the maximum coverage in the shortest period," he added, which means that security firms and victimized brands don't get an early warning by an initial wave of messages.
So far, Cyota has spotted two instances of the tactic, one by an attack out of the U.K., the other from Canada.
"As anti-phishing vendors become more adept at shutting down phishing websites, inevitably the fraudsters are looking at ways to minimize the effect this has on their hit rates," said Bennett.
To combat the technique, Cyota relies on a several-step process, which starts when a phishing attack first hits its radar. The company, said Bennett, processes millions of e-mails daily looking for phishing evidence. When it sees an attack, it first uploads the spoofed site(s) to ISP partners, which include AOL and EarthLink, so that they can engage blocks that restrict members' access to the site(s).
Next, they begin urging the site's host to bring down the spoof. "After two years doing this, we have a fairly robust relationship with most ISPs worldwide," Bennett said, "but there are still times when we have to explain who we are and what we do."
The third step, said Bennett, is that until the spoofed site goes offline, Cyota floods it with spurious information. "It's not a denial-of-service attack. We never do that," Bennett said. "But we bombard the site with phony data that looks real, like names and address and account numbers and passwords. The idea is to dilute the quality of the data gathered by the attack."
Finally, Cyota captures as much information about the site, as well as the e-mail campaign that started the phishing attack, and hands it all over to the client for its own use, or for it to turn over to law enforcement.
"In a sense this is reactive," Bennett admitted, "but we've set up a strategic team that's looking not only at attacks against existing customers, but also surfs forums and underground sites where phishers gather to try and identify what's in store for tomorrow."