A phishing rotator is a powerful tool for cyber threat actors, but it can also be their weakness.

When an attacker sets up a phishing page, he or she expects to retrieve the information they seek—credentials and sensitive data—within the first several hours of the campaign. As a result, the infrastructure for those phishing payloads is made to be disposable and may not last very long. Because of this infrastructure’s short lifespan, it is imperative for potential targets of phishing campaigns to mitigate phishing URLs extremely early on in the phishing lifecycle.

There are, however, pieces of infrastructure that are more lasting, and therefore far more useful during cyber threat investigations—namely phishing rotators. Phishing rotators are URLs that, instead of immediately displaying a phishing payload, redirect the victim to other URLs that host the payload. This infrastructure is advantageous for cyber threat actors because it enables them to safely prolong their campaigns to continue to catch the desired information from a single vector, even after the usual time frame has expired.

For example, if the vector is an email campaign and the actor is using the phishing URL instead of a rotator, he or she runs the risk of having that URL mitigated by Google or Microsoft browser blocking, and possibly even having the payload itself taken down. However, with a phishing rotator, the victim could end up on a fresh site that has not been up for long enough to have been blocked or taken down.

What Does a Phishing Rotator Look Like?

Below are sample sequences from a phishing rotator to different phishing payloads, which was detected by RiskIQ:

The sequences above are effective uses of infrastructure for the cyber threat actor. Instead of having to remake the entirety of their campaign whenever their payload-bearing site is blocked or mitigated, they just have to keep rotating through URLs.

The phishing rotator below was also found in RiskIQ’s data and is a perfect example of phishing cyber threat actors using rotators to significantly improve the efficiency of their campaigns. Via the Host Pairs data set in RiskIQ PassiveTotal, we can see that the rotator “hxxp://decorplantasforestal[.]com/visor/construction/processing[.]php” has been observed as the frontier URL for 58 unique phishing URLs, spread over seven different IP addresses and eight different domains:

When attempting to mitigate phishing incidents, it is important to look not only at the phishing page but also the chain leading up to it to see all the potential routes a victim could have taken to end up at the phishing site. Blocking or taking down a phishing rotator can slow down the cyber threat actor’s overall campaign and help ensure that unwary Internet users will not end up becoming victims. Targeting and removing the underlying mechanisms in addition to their payload bearing sites may also catch the phishers off guard.

Learn More

According to the APWG, the total number of phishing attacks in 2016 increased 65% over 2015. Safeguarding your organization against the potential of attack—and understanding motive and intent of that attack—requires full visibility into the state of all the assets, as well as rich intelligence data and machine-learning automation. With more than 30 million phishing pages already scanned, and tens of thousands of new pages scanned each day, RiskIQ understands how best to identify phishing campaigns and mitigate their impact.

To see how Digital Footprint works for yourself, interact with our free demos in RiskIQ Community Edition today.