Gone phishing: Researchers from Indiana University--left to right, Andrew Kalafut, Youngsang Shin, and Minaxi Gupta--are studying a trick used to make phishing sites harder to detect and block.
Aaron Bernstein/Indiana University Communications

Web

Tracking Devious Phishing Websites

Researchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.

  • Friday, October 16, 2009
  • By Erica Naone

In the world of online fraud, as in real life, the longer miscreants can operate without being caught, the more money they stand to make. And experts have discovered that many phishers--crooks who use fake websites to trick users into giving up valuable personal information--have found a trick that makes it harder for the good guys to block or shut them down.

The trick, dubbed "flux," allows a fake site to change its address on the Internet very quickly, making it hard for defenders to block these sites or warn unsuspecting users. According to research recently published in the journal IEEE Security and Privacy, about 10 percent of phishing sites are using flux to hide themselves.

Flux makes use of the Internet's domain name system, which is responsible for matching a Web address typed into a browser with the server that actually hosts a site. When a user tries to visit a Web page, the domain name system first directs the user to a name server, which maintains an up-to-date list of site addresses. This name server then tells the user's browser where to find the desired site.

Normally, only a small number of machines host copies of a site--just enough to keep it going if something goes wrong. Fraudulent sites, however, are a different story. Phishing sites are often hosted through botnets--thousands of hijacked machines distributed across the globe.

Advertisement

"These machines don't belong to the miscreants, they belong to you and I and our grandmothers," says Minaxi Gupta, an assistant professor of computer science at Indiana University who was involved with the research. Because phishers have access to so many machines, she explains, they can use all of them to move a site around rapidly, throwing defenders off the scent while keeping the website available.

To use flux, a phisher needs to control a domain name, which gives him the right to control its name server. The phisher then sets the name server so that it directs each new visitor to a different set of machines, cycling quickly through the thousands of addresses available within the botnet. Gupta notes that flux is most effective when the phisher shifts the location of the name server as well. If the name server is also moving to different locations on the Internet, it's doubly hard for defenders to pinpoint a central location where the fake website can be shut down. Gupta's group found that 83 percent of phishing sites that used flux this way lasted more than a day before being blocked, compared with a 65 percent survival rate for sites that didn't use flux.

Print

Related Articles

Safeguards against "Phishing" Slow in Coming

The framework for a "web of trust" is still in its infancy, and a pending bill could endanger it.

Rise of the Point-and-Click Botnet

A kit lets beginners craft sophisticated attacks.

Breaking the Botnet Code

Software that deciphers botnet communications could help infiltrate criminals' networks.

Close Comments

To comment, please sign in or register

Forgot my password

dtutelman

117 Comments

  • 852 Days Ago
  • 10/16/2009

Common sense vs fear and greed

There is certainly a place for the folks who are doing this fine work to make the Internet a safer place to work and play. But ultimately, protecting yourself from phishing and other scams depend on the user exercising common sense. If they did, phishing would not be profitable and would go away of its own accord.

Scams depend on ignorance, usually plus fear or greed, on the part of the user. It is really easy to avoid falling victim if you don't let fear make you sloppy and thoughtless. It isn't an issue of high tech; it's mostly common sense.

How can we show this? Easy. Phishing started on the telephone, and remains common there. Few people today lived any part of their lives without a telephone, so there is no lack of understanding, no technological intimidation. But people still give personal info out to callers, instead of insisting on calling back at a number they KNOW is legitimate.

If you would not give out information to an unknown telephone caller, then don't click a link on email from an unknown sender. Simple and effective. And similar exercise of common sense will prevent most Internet scams.

DaveT

Reply

Advertisement

MAGAZINE

Can We Build Tomorrow's Breakthroughs?

Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.

Videos

A Social-Media Decoder

More

Advertisement

Technology Review Lists

TR50

Our list of the 50 most innovative companies, including the following:

Toyota

Life Technologies

IBM

Serious Materials

More

Advertisement

Facebook

Advertisement