|
Rock Phish: Fast Flux
There are new phishers popping up almost daily, who are dedicated to finding new ways to spoof legitimate web businesses, and these phishers are succeeding, despite SSL certificate protocols.
One of the biggest and most effective groups has a very ironic name: The "Rock Phish" group. Right now, nobody knows how big this group is, or whether it's run by a handful of individuals, or one or two sophisticated hackers.
Richard Clayton and Tyler Moore, both security researchers from Cambridge University, have been keeping an eye on phishing trends, and recently published a paper entitled, "Examining the Impact of Website Takedown on Phishing."
Both men followed over 30,000 phishing reports from Phish Tank-a site dedicated to tracking phishing sites-and most of the phishing incidents they researched led to the Rock Phish group.
As well, it seems this group initiated and continues to use a new method of phishing-"Fast Flux."
Fast Flux is part of the latest wave of phishing tactics, in which a phisher uses a domain name that has several IP addresses attached to the domain. Phishers continue to play the 'shell game' with the domains, switching them between each IP address, so it's difficult to shut down the phishing sites.
Unlike other phishers, the Rock Phish group uses computers that they have already attacked as proxy servers. These proxy servers connect to one main server, instead of directly from the actual contaminated computers. The host-an Internet Service Provider (ISP)-cannot shut down the phishing site. In order to shut the phishing site down, the domain name registrar must be contacted.
This is a long process and very time consuming. If that wasn't bad enough, Fast Flux allows phishing web sites to stay up much longer than usual, according to Clayton and Moore's research, and that means a better chance of compromising more end-users and their computers.
Clearly, SSL is not the cure-all it was touted as being, and more protection is needed, as well as validation that the company Web site the end-user visits is indeed owned by the said company.
With intrusions such as Fast Flux, SSL cannot protect the server and the browser, as it was intended to do.
"SSL, being a low level protocol, does little to protect you once your host is compromised. Also, once a key in a certificate is compromised, it can remain compromised, as there is no mechanism in place for consulting the root of a CA [Certificate Authority] to confirm the key you are using has not been revoked," wrote Shostack.
SSL is an integral part of Web browser and server security offering a layer of information traffic that is not only confidential, but SSL makes sure that the said information remains unchanged as it is sent from browser to server and server to browser, as well as being authenticated correctly.
Encryption is the hallmark of SSL protocols, through the use of cryptography and digital certificates, but SSL should also correctly identify the identity of a Web site. Some do, with X.509 standard being issued, that verify the entity, but as it is the case with "Fast Flux" and other new ways phishers are fooling end-users into visiting phony Web sites, a new layer of protection and authentication must be implemented.
 Print this page
|
Step 1: What is an EV SSL?
Step 2: SSL validation vs. EV SSL validation
Step 3: Merchant Benefits
Step 4: How do I get an EV SSL certificate?
Step 5: Buying An EV SSL Certificate
|
| |
|
