The recent article "Tracking Devious Phishing Websites" in MIT Technology Review reports that 10 percent of phishing sites are using fast flux techniques to hide themselves. ICANN describes fast flux as ‘rapid and repeated changes to host and/or name server resource records, which result in rapidly changing the IP address to which the domain name of an Internet host or name server resolves’. Fast flux is used by botnets to conceal the Command and Control server to foil takedown. Such botnets are used in DDoS, spam, phishing, malware delivery and exfiltration. In particular, the use of fast flux increases the survival rate of a phishing botnet by about 27% as discussed in the Technology Review article.
Over the last 18 months, we have tracked over 280,000 fast flux domain, IP, and nameserver entities, and witnessed the fast flux infrastructures to evolve from nascent to widespread use. Our ACM paper "Behavioral Analysis of Fast Flux Service Networks" compares the characteristics (e.g. size, lifespan, growth, etc.) of spam, phishing, and malware botnets. Figure below shows the lifespan distribution of fast flux malware (blue), phishing (green), and spam (red) botnets in our current collection. Here the x-axis scale shows the lifespan of an inactive fast flux botnet in number of days. The y-axis shows the number of inactive domains corresponding to specific lifespan measured in days.
In comparison to botnets used for spam and malware, phishing botnets live less than a week. In contrast, spam botnets live up to 90 days whereas malware botnets live up to 30 days.We suspect that phishing botnets receive the attention of brand protection takedown services as they target well-established brands. In contrast, malware delivery and spam botnets distribute their pain across the general population, thus avoiding retaliation.
Current domain and/or IP blacklist approach may be useful for malware delivery and spam botnets as they tend to stay a while. In contrast, such blacklist approaches are clearly inadequate to cope with phishing botnets with a short lifespan. As industry research by Cyveillance suggests that “the majority of the damage caused by phishing attacks is realized during the first 24 hours after an attack is launched”, near real-time detection capability of phishing botnets is imperative.