Security experts: Rock Phish is behind growing 'Net fraud

SAN FRANCISCO -- A recent surge in phishing — fraudulent e-mail and websites designed to "fish" sensitive personal information such as passwords and credit card numbers — is the handiwork of a small, shadowy cybergang, computer security experts say.

Rock Phish, a group of technically savvy hackers who oversee phishing websites and provide tools on the Internet that let others phish, is "the major driving force behind a worsening situation, and they are difficult to track down," says Zulfikar Ramzan, senior principal researcher at Symantec's symc Security Response Group.

Rock Phish got its name because of its use of the word "rock" in the Web addresses of phishing websites. It is believed to be in Eastern Europe, based on the widespread availability of its phishing tools on websites hosted in that region.

FBI spokesman Paul Bresson says it is aware of the group. But U.S. authorities have little legal recourse to bust the foreign group and tamp down the surge in phishing, says Paul Henry, vice president of technology evangelism at Secure Computing.

So far, the criminal enterprise has victimized customers of U.S. and European financial institutions, such as Citibank c and Barclays, as well as popular phishing targets eBay ebay and PayPal, says Dan Hubbard, senior director of security and technology research at security firm Websense.

The gang is also targeting the commercial accounts of small and large businesses, says Fred Felman, chief marketing officer at MarkMonitor, a security company that has developed anti-phishing services. He estimates 77% of all active phishing sites are linked to Rock Phish and its methods.

In July 2007 — the most recent month for which data are available — the Anti-Phishing Working Group said new phishing sites pole-vaulted to 30,999, from 14,191 in July 2006.

More phishing sites have popped up this year — more than 220,000 and counting — than in the first seven months of any other year.

Rock Phish attacks employ Web addresses containing the names of real businesses, such as Bank of America, that are interspersed with random numbers.

The addresses appear authentic and are difficult to detect by anti-phishing defenses, says Paul Wood, a senior analyst at e-mail security firm MessageLabs.

A common Rock Phish tactic is to register new phishing addresses in rarely used country domains, such as Moldova (.md) and São Tomé and Principe (.st), that are not on the radar of law enforcement and anti-phishing groups, Felman and others say.

Before the bogus domain names are detected and removed, so-called Rock Phishers have already duped people and stolen their personal information.

Financial information stolen on Rock Phish websites is collected and funneled to a central computer server, Wood says.

Computer-security firm McAfee mfe advises consumers to be dubious of e-mails that come from financial institutions and online payment services asking them to take immediate action on their accounts. It also warns consumers to be cautious of e-mail that uses poor grammar.