Bot Networks Behind Big Boost In Phishing Attacks

A massive spike in the number of phishing sites in October lead the group's analysts to conclude that criminals are getting more sophisticated in their attack techniques and technologies. From September to October, phishing sites increased more than 100 percent.

"Some automation had to be involved, with a bot network to either send more e-mails and/or host more sites," said Dan Hubbard, the senior director of security at Websense, one of the two investigators who analyzed the phishing data for the group.

"In October, not only did the amount of reported phishing e-mails increase, but the number of phishing sites that were unique dramatically spiked," said Hubbard. "Once we started investigating the characteristics of those sites, a lot of same traits kept repeating."

The shared characteristics of those phishing sites -- which host phony pages that look remarkably like real credit card, bank, online retailer, or e-payment sites -- ranged from using a little-known Web server to being hosted on broadband-connected systems to running at IP addresses outside the U.S.

More than half of the phishing sites, for instance, are hosted on what appears to be broadband-connected PCs, and the common Web server -- SHS -- is a favorite of phishers, since its small footprint makes it easy to plant on a hacked PC.

"Our suspicion that it's a bot network [behind the increase] is really based on these shared characteristics," admitted Hubbard.

A bot network is a collection of already-hacked machines, often compromised weeks or months earlier by attackers using worms or viruses to plant backdoor components. Those backdoors let the attackers access the machines anytime they want, for any purpose. Spammers, hackers, and other cyber-criminals are thought to be acquiring or renting bot networks to do their dirty work, making it harder for authorities to track down the real culprits.

Scammers probably have other tools at their disposal besides the bot networks, the APWG said. "It appears as though some sort of toolkit is available [to phishers] and/or a set of tools that are being used to produce similar exploits," said Hubbard. Unfortunately, no one has yet "captured" a copy of this toolkit.

"There's no question that we're starting to see more and more sophisticated phishing attacks," said Hubbard. Phishers are running multiple phony sites from one hacked PC, he said, and beginning to blend spyware and phishing tactics to run application-level attacks which plant a keylogger on a machine and then silently watch for passwords or account numbers for specific targets, like an online banking session.

"Multiple brands are being spoofed from the same machine over a few days," he said. "A site will be an eBay spoof one day, PayPal the next, then Citbank. They're getting smarter. Why not host multiple targets on one machine?

"The problem's getting worse," Hubbard admitted. "Not only are the number of phishing sites up and attacks getting more aggressive, but even small targets are being scammed." In the last several days, for instance, Websense sent out alerts that several small banks were being hit with phishing scams. On Tuesday, it discovered the first attack written in Swedish, one that targeted users of the Eurocard.

Nor will they cease anytime soon.

"Just put two and two together," urged Hubbard. "If [scammers] weren't successful we wouldn't see a rise in the sophistication and the number of attacks."