Rock Phish
Phishing toolkit and the group behind it
From Wikipedia, the free encyclopedia
Rock Phish gang and techniques
At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out.[2] VeriSign reports them as a group of Romanian origin,[1] but others have claimed that the group is Russian.[3] They were first identified in 2004.[4]
Their techniques were sophisticated and distinctive, as outlined in a presentation at APWG eCrime '07.[5]
History
In 2004 the first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack, and group.
Attackers employed wild card DNS (domain name server) entries to create addresses that included the target's actual address as a sub-domain. For example, in the case of a site appearing as www.thebank.com.1.cn/thebank.html, ”thebank.com” portion of the domain name is the “wild card”, meaning its presence is purely superficial – it is not required in order for the phishing page to be displayed. “1.cn” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “1.cn/thebank” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path.[6]