The infamous Rock Phish gang appears to have moved its operations to a notoriously stealthy botnet in an effort to more aggressively spread and expand its phishing attacks.

Researchers at RSA’s FraudAction Research Lab say the phishing gang is replacing its homegrown botnet with the more sophisticated fast-flux Asprox, best known for propagating itself using SQL injection attacks on legitimate Websites. With fast flux, infected bot machines serve as proxies or hosts for malicious Websites and get rotated regularly, changing DNS records to evade discovery. IP blacklists are basically useless in finding fast flux-based botnets, so the bad guys behind these networks can easily hide phishing sites using this round-robin process. (See Phishing in Fast Flux.)

“Rock Phish has always gone after a variety of identity information and [found ways to] turn it into money… Asprox gives them a botnet that can populate faster and make it look like [attacks are] coming from one location,” says Sean Brady, marketing manager for the RSA Security Division of EMC.

Brady says RSA expects the phishing gang to now have the firepower to launch more Trojan attacks that can steal more information silently, and to better evade detection. RSA first noticed the Rock Phish gang begin to adopt Trojans back in April -- victims not only had their personal data stolen, but they also suffered a one-two punch with a Trojan infection that could steal other information, such as their online credentials on a Website.

Most recently, RSA witnessed Rock Phish begin to infect the victim with a botnet client, which recruited the infected machine to a botnet. The researchers later determined that Rock Phish was using a command and control server on the Asprox botnet. And interestingly, there’s been a decrease in “classic” Rock Phish phishing attacks and an increase in attacks from Asprox, they say. “Circumstantial? Perhaps, but we believe it is not. We suspect this stage completes an upgrade from the outdated Rock Phish botnet to the highly advanced fast-flux network, known until now as Asprox,” says an RSA blog post today.

Rock Phish is believed to be based in Eastern Europe, and its exploits are responsible for over half of all phishing attacks around the world, mostly posing as financial institutions.

Meanwhile, it’s unclear whether Rock Phish is leasing botnet space on Asprox, or if Rock Phish has actually taken control of the botnet, according to Brady. Regardless, organizations should brace for a possible jump in phishing attacks in the near future thanks to this unholy alliance between Rock Phish and Asprox. “It’s important that organizations move to the next step in educating users… about Trojans,” he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading