Rock Phish

From Seo Wiki - Search Engine Optimization and Programming Languages

Jump to: navigation, search

Rock Phish is also referred to as Rock Phish Kit. Authorities differ over its precise definition and about what sort of entity it is.[1][2] The common information is that it is either a hacker or group of hackers, or a phishing tool kit, or that the same name is used for each.


Rock Phish Kit

"Rock Phish" is a phishing toolkit that made its way into the hacking community around November 2005. Currently the most popular phishing kit, Rock Phish allows nontechnical individuals to create and carry out phishing attacks.[3][4][5] Like virus-making kits a few years ago, these kits are helping increase the number of phishing attacks, by making phishing methods more mainstream. The kit allows a single website with multiple DNS names to host a variety of phishing webpages, covering several banks and companies.

These kits are easily identified by the pattern in their URL:

URL: http://{domain name}/r1/{letter}

Where the letter is some combination that attempts to fool the user. Usually the first letter of the bank or company is in the letter of the URL.

Rock Phish Usage

F-Secure has created videos of the Rock Phish Kit in action on their blog.

Rock Phish

Robert McMillan disputes the definition above, saying that "security experts" call such a description inaccurate.[2] He says Rock Phish is defined as a hacker or group of hackers stated to be behind "one-half of the phishing attacks being carried out these days." Because of the elusive nature of Rock Phish, the article reports Symantec as comparing it with the movie character Keyser Söze. VeriSign reports them as a group of Romanian origin.[1] In the April 2007 edition of PC World, in an article entitled "Online Criminals are Thriving even in the face of New Automated Defenses" calls Rock Phish "a single phishing gang". This report that calls them the Rock Phish gang comes from a research firm known as Gartner, supported by RSA.

Independently of what definition is used, rock phishing is often used to refer to phishing attacks with some particular features. To minimize the effects of takedown, rock phishers often update DNS records over the course of the phishing attack. Moreover, sequential spam batches often use different and unrelated URLs. In the extreme, it would be possible for phishers to use a given URL only on one particular spoofed email, sent to only one potential victim. This would severely affect the success of takedown, but would require a very large number of corrupted nodes used for serving phishing webpages. Another distinguishing aspect of rock phishing is the use of images of text instead of text—this complicates spam filtering, given that optical character recognition (OCR) is fairly slow, and seldomly used in spam filters.

An excellent account of rock phishing tactics was presented at APWG eCrime '07.[6]

BCS OutLook

In simple terms a Rock phish requires ownership of multiples of domain names, which are normally nonsensical, e.g. These are then constructed into spam email which creates the look and feel of a genuine communication. Underlying the Rock phish attack is the use of wildcard DNS, which is employed to resolve to variations of IP addresses, and then mapping them over to a dynamic gathering of compromised machines.[7]


  1. 1.0 1.1 Compliance and Privacy (2006-12-15). "What is Rock Phish? And why is it important to know?". Compliance and Privacy. Retrieved 2006-12-15. "Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam (Ken Dunham, VeriSign)" 
  2. 2.0 2.1 Robert McMillan (2006-12-12). "'Rock Phish' blamed for surge in phishing". InfoWorld. pp. 2. Retrieved 2006-12-13. "The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are." 
  3. "Malware Review". Internet Industry Association. March 2006. Retrieved 2006-12-13. "The so-called 'rock-phish' kit saves Phishers space and time: One single 'physical' site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks." 
  4. "Websense alert". Websense Security Labs. 2006-02-23. Retrieved 2006-12-13. "Websense Security Labs is seeing a significant increase in the number of Phishing kits used to host multiple target brands on a single host and deploy similar attack code on several machines. Currently the most popular is being referred to as the 'Rock Phish Kit'. The kit appears to have surfaced around November of 2005, but the frequency of its use is growing." 
  5. Munir Kotadia (2006-02-28). ",39020375,39254714,00.htm". ZDNet Australia.,39020375,39254714,00.htm. Retrieved 2006-12-13. "According to Internet security company Websense, one of the most popular phishing kits is called Rock Phish Kit, which the company said was first seen last November." 
  6. Tyler Moore and Richard Clayton.. "Examining the Impact of Website Take-down on Phishing." (PDF). APWG eCrime Researcher's Summit, ACM Press, pp. 1-13. Retrieved October 28, 2007. 
  7. BCS March 2008

Personal tools

Served in 0.669 secs.