The Honeynet Project

In our research, we also observed that phishers are frequently combining the three attacking techniques we have observed and documented in this white paper, sometimes combining multiple methods to provide redundancy and protect their phishing infrastructure through implementation of a two-stage networking configuration. The following diagram depicts a possible phishing network topology:

[image:images/phishing-setup.png size=full]

In this example a central web server hosts the physical phishing content, often serving more then one web site (e.g. an eBay phishing-site in /ebay and a PayPal phishing-site in /paypal). Several compromised remote computers redirect incoming HTTP traffic on TCP port 80 to the central web server with the help of the redir port redirector. This has several advantages from an attacker's point of view when compared to a single phishing web site:

• If the compromise of one of the remote redir hosts is detected, the victim will probably take the system offline and re-install it. This does not represent a major loss for the phisher because the main phishing web site is still online and several other redir hosts continue to deliver HTTP traffic to the central web server.
• If the compromise of the central phishing server is detected, this system will also be taken offline. Now the phisher can simply set up a new phishing site on a freshly compromised system and then re-adjust the existing network of redir hosts to redirect traffic to the replacement central host. Using this technique, the whole network can be made available very quickly and the phishing attacks can soon recommence.
• A redir host is very flexible, since it can be easily reconfigured to point to another phishing web site. This decreases the time between initial system compromise and phishing web site availability, and increases the length of the attack window in which the phishing attacks can be performed.

The use of such techniques again suggests more organised and capable attackers, rather than the work of simple script kiddies. Similar operational models are often used by major web hosting companies and high volume content providers.