Phishing is basically an attempt by scammers to collect information about your login details to your bank and other financial organization, which has an online presence.

Most of these information phishing are done through spam. If your email client is set to read email in html format, you will see an image with the official logos and layout of the organization that the phishers are phishing information for.

On an unpatched email client, although the destination may be the phisher\'s fake site, it can be set to show the organization url when you put your mouse pointer over the image or links.

As far as the scammers are concerned, you don\'t need to have an account with the organization that they are conducting the phishing. They hit everyone in their spam mailing list, which is why their targeted organizations are normally big banks with international presence or huge client base like Bank of America, Fifth Third Bank, Citibank and the likes.

With the advance in spam filtering technology, most of such phish mails can be detected before it hit the recipient inbox just be checking the mail content for texts found in phishing attempts but there is one particular style of phish that is harder to deal with and it is getting more popular lately. It is know as the rock phish.

This particular style of phishing consist only of an image with the full message embedded in it complete with official looking logos and layout and can be harder for anti-spam filters to trap recognize it since it can\'t read texts in images.

As such, most of the filtering of such phish will be based on blacklisted urls detected in the text contents.

The url generated by a rock phish is also unique in the sense that the url used although all resolve to the same destination, has a uniquely generated number embedded within the url. e.g. http://www.bankofamerica.com.onlinebankingid34048842.ultratot.net/session.cgi when the numeric number 34048842 are unique only to this recipient.

This would cause problem for browser with phish filter to detect when it does a database check on phish urls that are being reported as it is a unique url and thus not reported before.

Some also think that phishers are able to trace to a unique email address based on the randomly generated number on the url link but that is giving them too much credit on their intelligence and the unlikely instance that they are this diligent.

As for the destination of such phish emails, they are mostly hacked machines on high speed broadband or cable, setup to serve a login page of the organization they are phishing the information for.

The domain names used are usually newly registered in bulk, most probably with a stolen credit card either from previous phishes or other criminal means. The location of the domains always resolve to a handful of ip addresses that are mostly hacked machines installed with various phish site templates. (Fifth Third, BOA, Paypal, etc).



Main Page