Gone phishing: Researchers from Indiana University--left to right, Andrew Kalafut, Youngsang Shin, and Minaxi Gupta--are studying a trick used to make phishing sites harder to detect and block.
"These machines don't belong to the miscreants, they belong to you and I and our grandmothers," says Minaxi Gupta, an assistant professor of computer science at Indiana University who was involved with the research.
Because phishers have access to so many machines, she
explains, they can use all of them to move a site around rapidly, throwing defenders off the scent while keeping the website available.
To use flux, a phisher needs to control a domain name, which gives him the right to control its name server.
The phisher then sets the name server so that it directs each new visitor to a different set of machines, cycling quickly through the thousands of addresses available within the botnet.
Gupta notes that flux is most effective when the phisher shifts the location of the name server as well.
If the name server is also moving to different locations on the Internet
, it's doubly hard for defenders to pinpoint a central location where the fake website can be shut down.
group found that 83 percent of phishing sites that used flux this way lasted more than a day before being blocked, compared with a 65 percent survival rate for sites that didn't use flux.