Phishing Cyber Gang Upgrades to Fast-Flux Botnet

According to researchers on the RSA FraudAction team, the Rock Phish gang has moved its infrastructure to the notorious Asprox botnet. Security researchers believe the move may precede an increase in phishing activity using the Asprox botnet.

Researchers at RSA, EMC's security division, believe the Rock Phish gang has upgraded its infrastructure to improve its ability to launch phishing attacks.

According to the RSA FraudAction Research Lab, the Rock Phish group has moved its operations from its traditional botnet to the fast-flux infrastructure of the infamous Asprox botnet. For end users, this could herald a rise in phishing attacks via Asprox.

"It's our suspicion that this lull may be calm before the storm," said Sean Brady, product marketing manager at RSA.

In early April, the researchers began observing changes in the Rock Phish attack structure when the gang introduced the Zeus Trojan (WSNPOEM) in its phishing attacks. Shortly afterwards, the gang replaced Zeus and padded its attacks with more custom-made and sophisticated crimeware.

As the malware continued to evolve, the researchers noticed its command and control server was also infecting users with the botnet client. In addition, researchers found the command and control server of the Rock Phish crimeware-as well as the newly introduced botnet client-had the same directory structure of the emerging Asprox servers from which the Asprox botnet malware was downloaded at the time.

Further proof came when researchers noticed a drop-off in the number of phishing attacks hosted on the traditional Rock Phish network and a coinciding increase in the number hosted on the Asprox botnet.

According to research from MessageLabs, one in every 522.7 e-mails they analyzed in August constituted a phishing attack, a decrease of less than one percent from July. In May however, the rate stood at one in 265.6 e-mails.

"It would not be surprising in the least in the upcoming months to see phishing attacks return to at least the level where they were a couple months back, with a lot of activity being driven by this botnet," Brady said.