Application security, Incident Response, Malware, Phishing, TDR, Vulnerability Management

Phishing drops as Rock Phish invests in technology updgrade

A plummet in the number of phishing emails between spring and summer appears related to a major crime group's decision to upgrade its botnet infrastructure, new research from RSA revealed on Friday.

The notorious Rock Phish group, believed responsible for at least half of all phishes, has spent the last several months transitioning from a legacy botnet to the Asprox botnet, Sean Brady, product marketing manager at RSA, told

The move will help the criminal syndicate distribute phishing emails faster and more frequently, while being more difficult to detect, he said.

“Like any business that upgrades its IT infrastructure, we would believe the Rock Phish group would think they're better prepared for the future,” Brady said. “We would not be surprised if we saw phishing levels return to where they were in the spring or early summer.”

According to phishing clearinghouse PhishTank, the number of valid phishes in July was 8,090, a considerable drop-off from 11,706 in May and 16,527 in April.

The Asprox botnet, traditionally leveraged to scan for websites vulnerable to SQL injection and infect users' machines with trojans, is now potentially being used by Rock Phish to distribute its attacks, Brady said.

“Leveraging the Asprox botnet and hosting your attacks from that botnet means that's it's essentially self-fueling,” he said. “You can create a larger botnet in a shorter period of time and therefore launch wider attacks.”

Asprox also comes outfitted with more advanced fast-flux networks, used to hide phishing sites and IP addresses behind a constantly changing series of botnet nodes that act as proxies, Brady said.

“They all run cover for the real system that is hosting the phishing attack,” he said.

Dave Jevans, chairman of the Anti-Phishing Working Group, a phishing resource organization, said he has noticed a steep decline in phishing emails, but now Rock Phish appears back.

A number of European banks and at least one major U.S. bank are being actively targeted in phishing campaigns, he said.

But it is doubtful Rock Phish, believed to be based in St. Petersburg, Russia,  took a major financial hit during the downtime, Jevans said.

“You don't need to be constantly harvesting credentials,” he said. “There are more stolen passwords out there than have ever been used.”

Brady said the time off shows Rock Phish is being run like a legitimate corporation.

“They have profit concerns, margin concerns and now obviously IT infrastructure concerns,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.