Rock Phish refers to both a phishing toolkit/technique and the group behind it.
At one time the Rock Phish group was stated to be behind "one-half of the phishing attacks being carried out. VeriSign reports them as a group of Romanian origin, but others have claimed that the group is Russian. They were first identified in 2004.
Their techniques were sophisticated and distinctive, as outlined in a presentation at APWG eCrime '07.
In 2004 the first rock phishing attacks contained the folder path âÂÂ/rockâÂÂ, which led to the name of the attack, and group.
Attackers employed wild card DNS (domain name server) entries to create addresses that included the target's actual address as a sub-domain. For example, in the case of a site appearing as <nowiki>www.thebank.com.1.cn/thebank.html</nowiki>, âÂÂ<nowiki>thebank.com</nowiki>â portion of the domain name is the âÂÂwild cardâÂÂ, meaning its presence is purely superficial â it is not required in order for the phishing page to be displayed. âÂÂ<nowiki>1.cn</nowiki>â is the registered domain name, âÂÂ/thebank.htmlâ is the phishing page, and the combination of âÂÂ<nowiki>1.cn/thebank</nowiki>â will display the phishing page. This allows the perpetrators to make the wild card portion the legitimate domain name, so that it appears at first glance to be a valid folder path.