Rock Phish

Rock Phish is both a phishing toolkit and the entity that publishes the toolkit. Phishing is an email fraud method in which the perpetrator sends out legitimate-looking email in an attempt to gather personal and financial information from recipients.

While the authors of the kit remain anonymous, Rock Phish has become the most popular phishing kit available online, with some estimates suggesting that the kit is used for half of all phishing attempts.

The Rock Phish toolkit first surfaced in the hacking community in 2004. Rock Phish is known for pioneering the use of image spam. It has also proven particularly adept at evading the adaptive security measures taken by networking professionals, earning the group grudging respect for their ability to stay on the cutting edge of technology -- and out of the hands of law enforcement. Gartner, the information technology research and advisory firm, has described Rock Phish as the "Keyser Söze" of the phishing world, a reference to the mysterious character in the 1995 film "The Usual Suspects." Many law enforcement officials believe Rock Phish is not an individual, but rather a sophisticated group of criminals tied to organized crime.

How does Rock Phish work?

The Rock Phish toolkit enables non-technical users to easily create and implement phishing attacks. The kit works by configuring a single Web server as a host, with multiple domain name servers (DNSes) to host a variety of templates, each one of which closely resembles a different legitimate bank or business venture. Attackers can then launch multiple phishing attacks from the host, fooling customers and clients into responding to the professional, legimate-looking email and entering their personal or financial data into the phisher's trap. Once harvested, credit card and banking information is channeled into a central server, the "Mother Ship," and sold through chat rooms to a dispersed network of money launderers that extract money from phishing victims' accounts.

Watch a video demonstration of Rock Phish in action.

Alert users may identify the phishing kits through a pattern in the Uniform Resource Locator (URL), which will display as:

http:://{www.sampledomainnam.com}/r1/{letter}

The letter after the /r/ directory is the same as the domain name being spoofed, i.e. www.sampledomain.com/r1/c for Citibank. In fact, the group was given the name "Rock Phish" because the URLs on the fake sites created using the kits typically included a distinctive subdirectory named "rock" or /r/, though this identifier has been largely abandoned after filters were updated to search for the term. Rock Phish URLs may also display simply as an IP address, another potential danger sign. Other indicators of phishing activity are sites that use the same PHP scripts over and over again to post content to phishing Web sites or Javascript hacks that replace a Web browser toolbar or disable keyboard functions like Cut and Paste.

Unfortunately, Rock Phish has made a practice of using unique URLs once and then abandoning them, a technique that makes it quite difficult for anti-phishing measures integrated into modern Web browsers (like Firefox 2.0 or Internet Explorer 7.0) or anti-spyware software to successfully identify and alert users to the false nature of the phishing sites. Rock Phish has also stayed away from the two most popular phishing targets, eBay and PayPal, focusing instead on more than 44 different European and U.S. financial institutions, including Barclays, Citibank, Deutsche Bank, and E-Trade, among others. Rock Phish has also used domain names in countries with limited online law enforcement.