Rock Phish: Difference between revisions

Content deleted Content added

Inline

Revision as of 18:56, 1 October 2019

Rock Phish refers to both a phishing toolkit/technique and the group behind it.^[1]^[2]

Rock Phish gang and techniques

At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out.^[2] VeriSign reports them as a group of Romanian origin,^[1] but others have claimed that the group is Russian.^[3] They were first identified in 2004.^[4]

Their techniques were sophisticated and distinctive, as outlined in a presentation at APWG eCrime '07.^[5]

History

In 2004 the first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack, and group.^[6]

Attackers employed wild card DNS (domain name server) entries to create addresses that included the target’s actual address as a sub-domain. For example, in the case of a site appearing as www.thebank.com.1.cn/thebank.html, ”thebank.com” portion of the domain name is the “wild card”, meaning its presence is purely superficial – it is not required in order for the phishing page to be displayed. “1.cn” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “1.cn/thebank” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path.^[7]

References

^ ^a ^b Compliance and Privacy (2006-12-15). "What is Rock Phish? And why is it important to know?". Compliance and Privacy. Retrieved 2006-12-15. Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam (Ken Dunham, VeriSign) {{cite web}}: |author= has generic name (help); Cite has empty unknown parameters: |month= and |coauthors= (help)
^ ^a ^b Robert McMillan (2006-12-12). "'Rock Phish' blamed for surge in phishing". InfoWorld. p. 2. Archived from the original on 2007-01-08. Retrieved 2006-12-13. The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.
^ Dignan, Larry. "RSA finds new malware enhanced phishing technique". ZDNet. Retrieved 8 September 2018.
^ Howard, Rick (2009-04-23). Cyber Fraud: Tactics, Techniques and Procedures. CRC Press. ISBN 9781420091281.
^ Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing" (PDF). APWG eCrime Researcher's Summit, ACM Press, pp. 1-13. Retrieved October 28, 2007.
^ "Phishing Prevention – Best Practices for Protecting Small or Medium Size Business". PhishProtection.com. 2019-01-28. Retrieved 2019-10-01.{{cite web}}: CS1 maint: url-status (link)
^ Goodin, Dan. "FBI logs its millionth zombie address". The Register. Retrieved 8 September 2018.

[compliance-1] Compliance and Privacy (2006-12-15). "What is Rock Phish? And why is it important to know?". Compliance and Privacy. Retrieved 2006-12-15. Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam (Ken Dunham, VeriSign) {{cite web}}: |author= has generic name (help); Cite has empty unknown parameters: |month= and |coauthors= (help)

[infoworld-2] Robert McMillan (2006-12-12). "'Rock Phish' blamed for surge in phishing". InfoWorld. p. 2. Archived from the original on 2007-01-08. Retrieved 2006-12-13. The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.

[3] Dignan, Larry. "RSA finds new malware enhanced phishing technique". ZDNet. Retrieved 8 September 2018.

[4] Howard, Rick (2009-04-23). Cyber Fraud: Tactics, Techniques and Procedures. CRC Press. ISBN 9781420091281.

[5] Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing" (PDF). APWG eCrime Researcher's Summit, ACM Press, pp. 1-13. Retrieved October 28, 2007.

[6] "Phishing Prevention – Best Practices for Protecting Small or Medium Size Business". PhishProtection.com. 2019-01-28. Retrieved 2019-10-01.{{cite web}}: CS1 maint: url-status (link)

[7] Goodin, Dan. "FBI logs its millionth zombie address". The Register. Retrieved 8 September 2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

@@ Line 3: / Line 3: @@
 ==Rock Phish gang and techniques==
-At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out.<ref name="infoworld"/> [[VeriSign]] reports them as a group of Romanian origin,<ref name="compliance"/> but others have claimed that the group is Russian.<ref>{{cite web |last1=Dignan |first1=Larry |title=RSA finds new malware enhanced phishing technique |url=https://www.zdnet.com/article/rsa-finds-new-malware-enhanced-phishing-technique/ |publisher=ZDNet |accessdate=8 September 2018}}</ref> They were first identified in 2004.<ref name="pcworld">{{cite web|url=http://www.pcworld.com/article/144876/article.html|title='Rock Phish Gang' Adds Second Punch to Phishing Attacks. |accessdate=2012-11-03 |author=Jeremy Kirk |authorlink= |coauthors= |date=2008-04-21 |year= |month= |work= |publisher=IDG News Service |pages=1 |language= |quote=The Rock Phish gang surfaced around 2004, becoming well-known for its expertise in setting up phishing sites... }}</ref>
+At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out.<ref name="infoworld"/> [[VeriSign]] reports them as a group of Romanian origin,<ref name="compliance"/> but others have claimed that the group is Russian.<ref>{{cite web |last1=Dignan |first1=Larry |title=RSA finds new malware enhanced phishing technique |url=https://www.zdnet.com/article/rsa-finds-new-malware-enhanced-phishing-technique/ |publisher=ZDNet |accessdate=8 September 2018}}</ref> They were first identified in 2004.<ref>{{Cite book|url=https://books.google.com/books?id=BZLLBQAAQBAJ&pg=PA264&dq=Rock+Phish+gang&hl=en&sa=X&ved=0ahUKEwifm6mX3vvkAhWOA3IKHfI1C1AQ6AEILTAB#v=onepage&q=Rock%20Phish%20gang&f=false|title=Cyber Fraud: Tactics, Techniques and Procedures|last=Howard|first=Rick|date=2009-04-23|publisher=CRC Press|isbn=9781420091281|language=en}}</ref>
 Their techniques were sophisticated and distinctive, as outlined in a presentation at APWG eCrime '07.<ref>{{cite web
@@ Line 14: / Line 14: @@
 == History ==
-In 2004 the first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack, and group.
+In 2004 the first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack, and group.<ref>{{Cite web|url=https://www.phishprotection.com/resources/phishing-prevention-best-practices/|title=Phishing Prevention – Best Practices for Protecting Small or Medium Size Business|last=|first=|date=2019-01-28|website=PhishProtection.com|language=en-US|url-status=live|archive-url=|archive-date=|access-date=2019-10-01}}</ref>
-Attackers employed wild card DNS (domain name server) entries to create addresses that included the target’s actual address as a sub-domain. For example, in the case of a site appearing as <nowiki>www.thebank.com.1.cn/thebank.html</nowiki>, ”<nowiki>thebank.com</nowiki>” portion of the domain name is the “wild card”, meaning its presence is purely superficial – it is not required in order for the phishing page to be displayed. “<nowiki>1.cn</nowiki>” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “<nowiki>1.cn/thebank</nowiki>” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path.<ref>{{cite web |last1=Goodin |first1=Dan |title=FBI logs its millionth zombie address |url=https://www.theregister.co.uk/2007/06/13/millionth_botnet_address/ |publisher=The Register |accessdate=8 September 2018}}</ref><ref>{{cite web |last1=Nambiar |first1=Sai Narayan |title=Getting Acquainted With Rock Phishing |url=https://www.symantec.com/connect/blogs/getting-acquainted-rock-phishing-0 |publisher=SYmantec |accessdate=8 September 2018}}</ref><ref>BCS March 2008 http://www.bcs.org/server.php?show=ConWebDoc.17968</ref>
+Attackers employed wild card DNS (domain name server) entries to create addresses that included the target’s actual address as a sub-domain. For example, in the case of a site appearing as <nowiki>www.thebank.com.1.cn/thebank.html</nowiki>, ”<nowiki>thebank.com</nowiki>” portion of the domain name is the “wild card”, meaning its presence is purely superficial – it is not required in order for the phishing page to be displayed. “<nowiki>1.cn</nowiki>” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “<nowiki>1.cn/thebank</nowiki>” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path.<ref>{{cite web |last1=Goodin |first1=Dan |title=FBI logs its millionth zombie address |url=https://www.theregister.co.uk/2007/06/13/millionth_botnet_address/ |publisher=The Register |accessdate=8 September 2018}}</ref>
 ==References==

v t e Scams and confidence tricks
Terminology	Scam Error account Shill Shyster Sucker list
Notable scams and confidence tricks	1992 Indian stock market scam 2G spectrum case Advance-fee scam Art student scam Badger game Bait-and-switch Black money scam Blessing scam Bogus escrow Boiler room Bride scam Charity fraud Clip joint Coin-matching game Coin rolling scams Drop swindle Embarrassing cheque Exit scam Extraterrestrial real estate Fiddle game Fine print Foreclosure rescue scheme Foreign exchange fraud Fortune telling fraud Gem scam Get-rich-quick scheme Green goods scam Hustling Indian coal allocation scam IRS impersonation scam Intellectual property scams Kansas City Shuffle Locksmith scam Long firm Miracle cars scam Mismarking Mock auction Moving scam Overpayment scam Patent safe Pig in a poke Pigeon drop Pork barrel Pump and dump Redemption/A4V schemes Reloading scam Return fraud Salting Shell game Sick baby hoax SIM swap scam Slavery reparations scam Spanish Prisoner SSA impersonation scam SSC Scam Strip search phone call scam Swampland in Florida Tarmac scam Technical support scam Telemarketing fraud Thai tailor scam Thai zig zag scam Three-card monte Trojan horse Wash trading White van speaker scam Work-at-home scheme
Internet scams and countermeasures	Avalanche Pig Butchering Carding Catfishing Click fraud Clickjacking Cramming Cryptocurrency scams Cybercrime CyberThrill DarkMarket Domain name scams Email authentication Email fraud Internet vigilantism Lenny anti-scam bot Lottery scam PayPai Phishing Referer spoofing Ripoff Report Rock Phish Romance scam Russian Business Network SaferNet Scam baiting 419eater.com Jim Browning Kitboga Scammer Payback ShadowCrew Spoofed URL Spoofing attack Stock Generation Voice phishing Website reputation ratings
Pyramid and Ponzi schemes	Aman Futures Group Bernard Cornfeld Caritas Dona Branca Earl Jones Ezubao Foundation for New Era Philanthropy Franchise fraud High-yield investment program (HYIP) Investors Overseas Service Kapa investment scam Kubus scheme Madoff investment scandal Make Money Fast Matrix scheme MMM Petters Group Worldwide Pyramid schemes in Albania Reed Slatkin Saradha Group financial scandal Secret Sister Scott W. Rothstein Stanford Financial Group Welsh Thrasher faith scam
Lists	Con artists Confidence tricks Criminal enterprises, gangs and syndicates Impostors In the media Film and television Literature Ponzi schemes