Threat Level: green Handler on Duty: Didier Stevens

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Phishing by proxy

Published: 2006-11-28
Last Updated: 2006-11-28 23:42:21 UTC
by William Salusky (Version: 1)
0 comment(s)
Phixies, Phoxies, Phishoxies, Proxishing, reverse-proxy phishing, reverse-prophixing, reverse phoxy prish, ahhh PHOOEY!!! 

It is likely already old hand to security researchers that the evolution of phishing attacks are using a black velvet paint by numbers board of increasing complexity, but I personally have recently been witness to an increase in something *new to me* which is Phishing by Proxy...  and now quickly being followed closely by Money Mule recruitment by proxy.

I had been investigating reports of phishing and miscreant web sites being hosted in specific user land network IP space, only to discover they were not in fact malicious users and in fact innocent users who had somehow been duped and computers compromised, resulting in a proxybot infection that would phone home announcing the availability of anonymous proxy redirect services offering controllable port TCP port 80 and 443 redirects to an upstream mothership.  These bots/agents also offer DNS service at the phishers whim in acting as authoritative NS targets with fast flux domain resolution techniques often found used in short lived phishing attacks or by any other type of garbageware pushers.  All that functionality [in this variant] comes in an 11k footprint, and hasn't been well detected by AV vendors either.  The AV vendors that do offer detection [for this specific variant I am referring to] unfortunately offer only innocuous names like "Trojan-Downloader.Win32.Small.dho", or "W32/Malware" which does nothing to improve awareness of the threat.  I am in the process of beating on the vendors that still do not offer detection of this simple sample.

So getting back to the story.  I had received notice of various european financial services being proxied via these proxybotted agents, but by the time I had acquired malware samples the proxying for phishing sites had ceased and in it's stead came a wave of Money Mule recruitment sites being redirected via these proxies.  I suppose that upstream phishers ran out of individuals they could abuse in financial fraud, hence had to go on a recruitment/hiring binge.

What I have found that works reasonably well in my situation to identify these infection types going forward, is to search DNS cache dumps/logs for DNS A records that point into dynamically provisioned IP space for host domain records not belonging to any typical dynamic DNS provisioning services.  More often than not, an isolated and suspiciously named A record association pointing into wildly dynamic IP space [in my experience] implies that something wicked that way goes.  I looked at alerting based on discovered target ip/hostname phone home destinations, but that seems to me to be a game that only the running man can play.

It's an obviously serious issue when it comes to combatting the phish problem where a successful takedown of a reported phish site that is only proxy will just be removing one node from the farm, while the upstream mothership continues with a typically long shelf life due to the effective anonymity offered by proxybotted hosts.  Did I mention that I'm a master of the run-on sentance?

Do we have any collective experience out there with this particular threat type?  Any experiences to share?

William Salusky 
"Painting Phish Pictures"
Handler on Duty   Geotagged: nearby
Keywords:
0 comment(s)
Diary Archives