Tyler Moore and Richard Clayton, of the university’s Computer Laboratory, researched phishing by observing how fast phishing web-sites were taken down, logging reports from phish reporting web-site PhishTank then checking to see when the sites changed.
In a paper published on 11 May, Moore and Clayton found repeated evidence of one gang’s activities, known as “rock-phish” after the “/rock” directory it initially used for its web-sites. According to the researchers’ calculations, the gang may be capable of stealing around US$178m a year.
The gang used web addresses starting with apparently genuine bank URLs – but these were irrelevant, as they were followed by other components. The addresses then included a randomized section designed to confuse black-listing web-sites such as PhishTank, then finally the canonical, or real, URL.
In eight weeks from February to April, the Cambridge researchers found 18 680 reports from PhishTank which they believe refer to the rock-phish gang, 52.6% of the reports made to the site. However, the 18 680 reports used just 419 canonical web addresses, each of which targeted multiple banks in parallel, rather than a single bank that most phishing sites attacked.
“Almost everybody in this area has a vested interest in inflating the numbers,” says Clayton, as it seems to show vendors doing more work and it gives the police a reason not to investigate a large number of small-scale incidents.
The researchers say the rock-phish gang has changed its methods rapidly. From February, it introduced a method called “fast-flux”, which switched the internet protocol addresses used by its web-addresses on a rapid basis.
The result of such techniques is to extend the life of rock-phish domains, which the researchers say have a mean average lifetime of 94 hours, with the fast-flux domains lasting 454 hours, compared to ‘normal’ phishing web-site, which last for an average of 58 hours.
“You might think having more banks going up against you meant your sites would be taken down faster,” says Clayton. “In fact, they are being taken down more slowly.”