Yes, it has finally happened - big time phishers going after control of domain names.
The ROCK group is the most notorious phishing group out there, with confirmed thefts of hundreds of millions of dollars against financial institutions around the world. They use extremely sophisticated tactics for creating spam, their phishing sites, and cashing out banks. They are relentless in attacks, targeting a dozen or more institutions at once, and extremely creative. Domain names are their current modus operandi for setting up nearly long-lasting sites on their botnets, and that's where we think the attack against GoDaddy comes in. Given their patterns in the past, we fully expect them to target every major registrar within the next few months.
For the time being, we think (and hope) that this is likely just an incremental move on the ROCK group's part, in response to the effectiveness we've had lately as an industry (and our own team's tremendous results in particular these past few weeks) at getting bogus domains killed far more quickly. So we think this is all about keeping their domains up longer.
Phishing attacks against registrars allow for take-over of legitimate domain management accounts for use in future ROCK attacks - either through control of existing legitimate domains or via registration of new ROCK domains on an account that the registrar "trusts" since it's been used for valid purposes over a long period of time.
Domain owners are particularly susceptible to spear-phishing attacks since their information is tied to the domain in public records (or their website). Evidence to this is that we've known about the new attacks against GoDaddy for well over a full day now and no one else is reporting this to the usual lists, and we've not seen the spam hitting the traps like we usually do for ROCK phish. The infamous Domain Registry of America was able to fool tens of thousands of people (or more) into transferring their domain names based on bogus letters and e-mails that were disguised as renewal notices. Think about how many people will fall for the "click here to renew your domain" trick on spoofed registrar e-mails.
What does this mean for financial institutions? You should be afraid - very afraid.
The largest security hole that the on-line banking industry has is their domain name registrations. This has been the "dirty little secret" in this field for years. If a criminal takes over the domain registration for a bank, he can move it to anyplace he wants on the Internet. How? Via the domain's nameservers which are controlled via the domain registration account. He can either completely change the nameservers, or run the ultimate man-in-the-middle attack by scraping everything via a proxy or port redirector and funneling the customers off to the real bank site for transactions.
What should a financial institution do to protect itself? What you should have been doing all along.
1) Financial institutions need to get full control of their domain name space and their actual accounts. Access to the domain management accounts must be strictly controlled and thoroughly audited on an continuous basis. Whois and nameserver checks should be performed daily or better (nameservers by the minute!)
2) Domain renewals, updates, and registrations should be handled by one person only or a professional outsourcing firm that won't get fooled by bogus renewal/transfer/update e-mails. Leaving this up to an admin in accounting is recipe for the entire on-line bank to be taken over.
There is much more phishers can do once they get control of your domains. Feel free to contact us if you want to learn about the dirty details.