The most problematic phishers are those that uses rock-style tactics to implement their scams. By using a combination of fast-flux botnets, reverse proxies, and registering a myriad number of domain names, their scams are likely to stay alive 50% longer or more than regular phishing attacks. Clearly they’re more advanced that the ankle-biters that use free phishing kits and free web space like geocities.
Today I started seeing reports of a PayPal phishing attack using using the URL (line wrapped for readability):
The only problem is that it’s impossible to resolve this hostname. If you look carefully, you’ll see the label that starts ‘session-’ following by a bunch of numbers is 91 characters long. That is longer than the maximum of 63 allowed by RFC 2181.
The phishers never notice this themselves because their nameservers have wild-card entries that allow any hostnames and sub-domains to resolve (assuming the query get to their servers).