Symantec Global internet Security threat report
romania moved into fifth place and accounted for four percent of the total for countries hosting phishing UrLs in 2009. this was a dramatic change compared to 2008, when romania ranked 28th, and accounted for less than one percent of the total for countries hosting phishing UrLs. the four percent increase noted by Symantec, accounted for approximately an eighteen-fold increase in the number of phishing UrLs originating from romania during 2009. romania’s broadband sector has also developed rapidly in recent years.188 in addition to hosting phishing UrLs, it was noted by Symantec that romania moved from 20th position in 2008 to 12th position in 2009 for countries sending the most spam. Given these facts, it is clear that attackers are looking at romania as a favorable target for hosting malicious activity. Symantec anticipates this trend will continue through 2010.
Another significant change in the rankings in 2009 was China’s move from third-ranked position in 2008 for countries responsible for hosting phishing UrLs to 18th in 2009. One reason for this drop may be that Chinese companies and government organizations last year formed an antiphishing group that may have helped reduce phishing incidents.189
Automated phishing toolkits
A phishing toolkit is a set of scripts that allows an attacker to automatically create websites that spoof the legitimate websites of different brands, including the images and logos associated with those brands. the scripts also help to generate corresponding phishing email messages. Because each script generates pseudo-random phishing UrLs with a distinctive pattern, the particular script used to generate a particular phishing UrL can be identified from that pattern. All phishing UrLs reported to Symantec can be sorted and grouped according to those specific patterns.
phishing toolkits are developed by groups or individuals who, along with using the kits themselves, sell the kits in the underground economy. therefore, independent groups can use the same toolkit. note that toolkits sold in the underground economy often go unnamed. Unlike legitimate software, for which naming plays an important marketing role, phishing toolkits often become popular based on who has produced them. Moreover, their names are usually not integral given the limited lifespan of a great many of them. Consequently, phishing toolkits discussed here cannot be named specifically and will instead be referred to by numbers.
phishing Kit 1 relies on a strong social engineering component and is typically active only around holiday seasons. this explains why it was responsible for more than 29 percent of all phishing campaigns, in January 2009, but then its activity dropped to an average of 6.35 percent for the year overall (figure 14). Kit 1 only targets one popular Webmail service and uses domain names that are often related to images or pictures, such as “ellie.cool-xmas-pics.com” or “kyleman.cool-xmas-pics.com.” they are often sent using the same targeted Webmail service to other users, with text such as “Hey is this you on [sic] this picture?”
phishing Kit 1 is a domain-based phishing toolkit. Domain-based phishing toolkits require the phisher to own or register a unique domain such as “aphishingsite.com” and host it on a bot network or on an iSp. the phisher can then create phishing links with random subdomains, such as “mybank.aphishingsite.com,” “anotherbank.aphishingsite.com,” and so on.