A small number of zombie networks are responsible for all Internet phishing attacks worldwide, according to CipherTrust, the messaging security appliance firm.
An analysis of messages sent to users of CipherTrust's IronMail security appliance found that less than one per cent of email messages during the first two weeks of October were phishing attacks. Dmitri Alperovitch, the research engineer at CipherTrust who carried out the analysis, reckons the phishing expeditions it spotted were launched from no more than five different networks of compromised zombie PCs, each approximately 1,000 strong.
The number of compromised machines linked to phishing expeditions is dwarfed by those engaged in spamming, which run into the tens of thousands a day. Seven in 10 of the compromised machines CipherTrust spotted distributing phishing emails were also used to send spam. CipherTrust was able to discern clear patterns in the barrage of spam and fraudulent emails spewed out from cracker-controlled machines which lead it to conclude that a limited number of zombie networks are used to send phishing emails.
"We don't know who’s sending these phishing email or buying access to these compromised machines. But we can say that a group emails together and say that the same type of spam and phishing attack is coming from a group of machines," Alperovitch told El Reg. "A different 1,000 IP addresses every day are used but the size of swarms and their numbers remains consistent. Conservatively we'd put this number at less than five, we can't be more precise than that." Alperovitch said CipherTrust is talking to federal law enforcement agencies about its findings.
CipherTrust gathered its data by detecting the senders' Internet Protocol (IP) addresses on confirmed phishing attacks and then relating those addresses to CipherTrust's TrustedSource reputation system. CipherTrust's TrustedSource is designed to "provide precise information about sender behaviour across hundreds of thousands of IP addresses for the purpose of tracking message legitimacy and using that information to determine the intent of email senders".
Simon Dawson, head of corporate investigations at the Risk Advisory Group, which helped the UK banking industry launch an anti-phishing website last month, said it was hard to know of the number of zombie networks out there - much less than who is controlling them. "This kind of information only tends to come out through criminal prosecutions," he said.
Viruses such as My-Doom and Bagle (and Trojans such as Phatbot) surrender the control of infected PCs to malware authors, who sell access to the networks of compromised, zombie machines (or botnets) to other low lifes. By using compromised machines - instead of open mail relays or unscrupulous hosts - spammers can bypass traditional IP address blacklists. The fraudsters behind phishing attacks employ the same trick.
Around one in three (32 per cent) of the zombies linked to phishing by CipherTrust are based in the US. The second largest number of compromised PCs, 16 per cent, were located in South Korea. The remaining 52 per cent of phishing zombies were spread across 98 countries.
CipherTrust's phishing analysis discovered that 46 per cent of the phishing attacks used the Citibank brand to entice victims to share financial and personal information. The remaining 54 per cent of attacks were split among twelve other well-known brands across the financial and online retail industries. CipherTrust also found some evidence that the conmen behind phishing scams are targeting their attacks, at least geographically. Lloyds TSB phishing emails were sent almost exclusively to email users located in Europe, where the company is based, CipherTrust reports. ®