Rock Phish

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

Rock Phish refers to both the phishing toolkit and the entity that publishes the toolkit. Phishing is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.[1][2] The common information is that it is either a hacker or group of hackers, or a phishing tool kit, or that the same name is used for each.

Rock Phish Kit

In today’s world, organizations that conduct any business online are aware of the various threats that they may be subject to. While basic threats such as phishing attacks, worms and trojans are familiar terms for any IT or security professional, traditional methods associated with fraudulent activity have evolved to new and advanced levels of complexity.

The Rock Phish toolkit enables non-technical users to easily create and implement phishing attacks. The kit works by configuring a single Web server as a host, with multiple domain name servers (DNS es) to host a variety of templates, each one of which closely resembles a different legitimate bank or business venture. Attackers can then launch multiple phishing attacks from the host, fooling customers and clients into responding to the professional, legitimate-looking email and entering their personal or financial data into the phisher's trap. Once harvested, credit card and banking information is channeled into a central server, the "Mother Ship," and sold through chat rooms to a dispersed network of money launderers that extract money from phishing victims' accounts.

Rock Phish Usage

F-Secure has created videos of the Rock Phish Kit in action on their blog.

Robert McMillan disputes the definition above, saying that "security experts" call such a description inaccurate.[2] He says Rock Phish is defined as a hacker or group of hackers stated to be behind "one-half of the phishing attacks being carried out these days." Because of the elusive nature of Rock Phish, the article reports Symantec as comparing it with the movie character Keyser Söze. VeriSign reports them as a group of Romanian origin.[1] In the April 2007 edition of PC World, in an article entitled "Online Criminals are Thriving even in the face of New Automated Defenses" calls Rock Phish "a single phishing gang". This report that calls them the Rock Phish gang comes from a research firm known as Gartner, supported by RSA.

Jeff Singleton of HackDefendr Security rebuts Robert McMillan's claim as invalid for the information presented on this page. The correct information of the hacking group called the Rock Phish Gang[3] in comparison with the type of attack via the kit which are also called Rock Phish are in fact different. The authors of the kit remain anonymous, Rock Phish has become the most popular phishing kit available online, with some estimates suggesting that the kit is used for half of all phishing attempts.

Independent of what definition is used, rock phishing is often used to refer to phishing attacks with some particular features. To minimize the effects of takedown, rock phishers work by registering a large number of domains, which are used to host scripting files that send and receive information from the perpetrator’s main host. These types of attacks are hosted in such a way that they can be displayed on any compromised machine controlled by the perpetrators. Furthermore, advanced scripting set up by attackers allows the domains to move from ISP to ISP without any human intervention. Given that these types of online criminals have a deep knowledge of and experience in online exploitation, finding the source of and controlling damages done as a result of a rock phishing attack becomes extremely challenging.

An account of rock phishing tactics was presented at APWG eCrime '07.[4]

Rock Phishing History

It was in 2004 that we saw the genesis of the rock phish attack. The name stems from the first recorded attack in which attackers employed wild card DNS (domain name server) entries to create addresses that included the target’s actual address as a sub-domain. For example, in the case of a site appearing as, ”” portion of the domain name is the “wild card”, meaning its presence is purely superficial – it is not required in order for the phishing page to be displayed. “” is the registered domain name, “/thebank.html” is the phishing page, and the combination of “” will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path. The first rock phishing attacks contained the folder path “/rock”, which led to the name of the attack as we know it today. To date, it is estimated that rock phishing has already cost businesses and consumers in excess of $100 million in damages, and it continues to grow.

Until this attack, phishing was becoming more pervasive, but was far from mainstream - in large part because free Web services only allowed for limited activities. More recently however, attackers have found a more surreptitious way to launch attacks through legitimate websites themselves by exploiting common vulnerabilities in the software running on the sites. Unlike popularized software applications that openly announce changes, automate updates and provide open access to programming tools, administrators often have to spend time seeking out Web software updates and security weaknesses. This delay in - or sometimes complete lack of – action provides ample opportunity for attackers to do considerable damage.

In addition, there has been a move to make website software more accessible to the non-tech user so they can create their own Web pages. The drop in the sophistication levels of the Web masters makes the risk of rock phishing higher – and the opportunity to catch these sites and shut them down in a timely manner much lower.

At the same time, perpetrators for their part have taken it upon themselves to become well-versed in Web server technology. These are not the typical casual hackers that typified the “phisher kings” of past years. These are highly sophisticated, well educated, highly coordinated teams of people with exceptional technology skills.

BCS OutLook

In simple terms a Rock phish requires ownership of multiples of domain names, which are normally nonsensical, e.g. These are then constructed into spam email which creates the look and feel of a genuine communication. Underlying the Rock phish attack is the use of wildcard DNS, which is employed to resolve to variations of IP addresses, and then mapping them over to a dynamic gathering of compromised machines.[5]


  1. 1.0 1.1 Compliance and Privacy (2006-12-15). "What is Rock Phish? And why is it important to know?". Compliance and Privacy. Retrieved 2006-12-15. Rock Phish is an individual or group of actors likely working out of Romania and nearby countries in the region. This group has been in operation since 2004 and is responsible for innovation in both spam and phishing attacks to date, such as pioneering image-spam (Ken Dunham, VeriSign)<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  2. 2.0 2.1 Robert McMillan (2006-12-12). "'Rock Phish' blamed for surge in phishing". InfoWorld. p. 2. Retrieved 2006-12-13. The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  3. Jeremy Kirk (2008-04-21). "'Rock Phish Gang' Adds Second Punch to Phishing Attacks". IDG News Service. p. 1. Retrieved 2012-11-03. The Rock Phish gang surfaced around 2004, becoming well-known for its expertise in setting up phishing sites...<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  4. Tyler Moore and Richard Clayton. "Examining the Impact of Website Take-down on Phishing" (PDF). APWG eCrime Researcher's Summit, ACM Press, pp. 1-13. Retrieved October 28, 2007.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
  5. BCS March 2008