Tracking Devious Phishing Websites
Researchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.
In the world of online fraud, as in real life, the longer miscreants can operate without being caught, the more money they stand to make. And experts have discovered that many phishers–crooks who use fake websites to trick users into giving up valuable personal information–have found a trick that makes it harder for the good guys to block or shut them down.
The trick, dubbed “flux,” allows a fake site to change its address on the Internet very quickly, making it hard for defenders to block these sites or warn unsuspecting users. According to research recently published in the journal IEEE Security and Privacy, about 10 percent of phishing sites are using flux to hide themselves.
Flux makes use of the Internet’s domain name system, which is responsible for matching a Web address typed into a browser with the server that actually hosts a site. When a user tries to visit a Web page, the domain name system first directs the user to a name server, which maintains an up-to-date list of site addresses. This name server then tells the user’s browser where to find the desired site.
Normally, only a small number of machines host copies of a site–just enough to keep it going if something goes wrong. Fraudulent sites, however, are a different story. Phishing sites are often hosted through botnets–thousands of hijacked machines distributed across the globe.
“These machines don’t belong to the miscreants, they belong to you and I and our grandmothers,” says Minaxi Gupta, an assistant professor of computer science at Indiana University who was involved with the research. Because phishers have access to so many machines, she explains, they can use all of them to move a site around rapidly, throwing defenders off the scent while keeping the website available.
To use flux, a phisher needs to control a domain name, which gives him the right to control its name server. The phisher then sets the name server so that it directs each new visitor to a different set of machines, cycling quickly through the thousands of addresses available within the botnet. Gupta notes that flux is most effective when the phisher shifts the location of the name server as well. If the name server is also moving to different locations on the Internet, it’s doubly hard for defenders to pinpoint a central location where the fake website can be shut down. Gupta’s group found that 83 percent of phishing sites that used flux this way lasted more than a day before being blocked, compared with a 65 percent survival rate for sites that didn’t use flux.
The group also identifies methods for detecting flux and suggests that flux detection should be built into the domain name system itself. Since using the technique likely means a site is fraudulent, the system itself could help protect unsuspecting users from visiting these sites.
Shortening detection time by even a few hours can make a significant difference, says Alper Caglayan, president of Milcord, a company based in Waltham, MA, that collects real-time data about botnets. “If they can operate even a day, they’ve already made too much money,” he adds.
Caglayan notes that there are some legitimate ways to use flux–for example, to deliver multimedia content efficiently–but says that the way a botnet uses flux should look different. For example, a botnet’s machines are scattered around the world in a pattern that wouldn’t make sense for a legitimate business.
Some experts believe that a multipronged approach is needed to stop phishing sites. Caglayan’s company provides a service that helps Internet service providers and other large network administrators find and shut down infected machines within their networks.
Some Web browsers also use blacklists to warn users away from fraudulent sites. But tricks like flux make it almost impossible for those blacklists to stay current enough to be useful. Caglayan expects that, in the future, browsers will need to build in systems that can detect fraud on their own.
Detecting flux will only help people who are using blocking services of some kind, says Manoj Srivastava, chief technical officer of Cyveillance, a security company based in Arlington, VA. “To effectively deal with an attack involving fast flux, it is necessary to take the domain off the Internet, and that requires working with either the registrar or registry of that domain,” he says. This can be hard because some domains are located in countries with loose regulations for Internet fraud. Simpler obstacles such as a language barrier can also leave a fraudulent site in operation for a longer period of time.
Gupta says that, as with most Internet crime, flux is a just one component in a larger game of cat and mouse. “You can’t win this game,” she says. “You just have to continually detect their means and adjust to them.”