Five Zombies Do All the World's Phishing

In an analysis of its global customers' e-mail traffic patterns during the first two weeks of this month, CipherTrust researchers found that less than one percent of all e-mail contained phishing attacks.

Those attacks are launched daily by a rotating set of networks, each net consisting of 1,000 zombie computers. Zombies are networked computers controlled surreptitiously by hackers by infecting the computers with some form of malware such as a virus, Trojan or worm.

Haven for Spammers

"There are a total of about 1,000 IPs each day responsible for all the phishing attacks on the Internet," CipherTrust Research Engineer Dmitri Alperovitch told TechNewsWorld. "Those IPs change from day to day so it's pretty much a different thousand every day."

Generally, phishing involves the mass distribution of "spoofed" e-mail messages with return addresses, links and branding that appear to originate from banks, insurance agencies, retailers, credit card companies or the like. The bogus messages are used to persuade recipients to divulge personal authentication data such as account information, credit card or social security numbers or personal identification numbers {PINs}. Because the e-mails look genuine, recipients respond to them and become victims of identity theft and other fraudulent activity.

CipherTrust's analysis also revealed that the zombie networks responsible for phishing traffic were also being used to distribute unsolicited e-mail advertising, or spam.

Killing Zombies

"We noticed that we could separate these IPs into separate groups by looking at the types of e-mail that they were sending out," Alperovitch explained. "There would be a group of IPs sending this type of phishing attack and this type of spam and that was the only thing you see from them. That's how we arrived at [the conclusion that] less than five of these groups are responsible for all phishing attacks."

Although the Anti-Phishing Working Group is still reviewing CipherTrust's findings, Chairman Dave Jevans noted that the organization is aware that zombies have been increasingly involved in the phishing scene.

"As of a few weeks ago, we were able to detect that zombies were being used increasingly, and we've seen networks of eight or 10 or 50 zombies," Jevans told TechNewsWorld.

More Than Five Groups

Even if there are only a smattering of operators controlling the distribution of phishing attacks, the global number of phishers could still be substantial.

"Thousands of people could still be doing it because you just hook up to a zombie network and put your data through it," Jevans said.

"We have very strong evidence that there are 30 to 40 identifiably different groups with different attack patterns out there," he added. "We know there are more groups than five, that's for sure."

Nevertheless, a crackdown on zombie networks would have a significant impact on worldwide phishing and spam traffic, Jevans asserted.

"If we could shut zombie networks off at the root, theoretically that's going to make a big impact on spam and phishing e-mails because we now know that 50 percent of all spam is being sent through zombie networks," he explained.

Prime Targets

Financial institutions remain a prime cover for phishers, CipherTrust revealed, with 46 percent of all attacks using the Citibank brand to pry personal information from victims.

"There is no industry standard for measuring phishing attacks, so research results vary," Citigroup Spokesman Mark Rodgers told TechNewsWorld via e-mail. "Our own research indicates that other organizations have as many or more phishing attacks than Citibank, but, again, everyone's analysis methodology seems to differ."

Rodgers added: "We diligently identify and stop attacks; we work with law enforcement and industry groups on solutions; we educate customers; we take steps to protect customers against fraud, and we continually modify our systems to enhance safeguards for our customers and ourselves. It is also important that consumers be aware of these issues and act appropriately as well."