Image by jan.gosmann via Flickr

Below is a summary of RSA Security’s August 2011 Fraud Report

Your package has arrived,” screamed the email header which landed in the email inbox of countless business professionals around the world. Open it up, and you will find information about a fictitious UPS or FedEx shipment scheduled to arrive.

Simply click on the link or the attachment to track the details and you will get served up with the latest version of the SpyEye Trojan on your computer – and most likely without even knowing it.

This is just one of many spear phishing email attacks targeted at organizations and their employees on a daily basis. In fact, phishing emails are landing in corporate in boxes around the world. In a recent study, 45% of employees stated they had received a phishing email at work. Most often, these attacks are launched by financially motivated criminals that target finance or accounting departments in an attempt to get access to business banking accounts via a Trojan. Yet, most of these malware strains are capable of doing a lot more. For example, one plug-in being developed in the underground today features an Outlook grabber that will allow criminals to steal emails directly from the infected user’s inbox.


Identification and analysis of a Trojan is the first critical step in the attack shutdown process. Once a malware strain has been analyzed and deemed malicious, the appropriate steps should be taken to initiate blocking or shutdown of identified infection, drop and update points. The malware associated with this particular attack was confirmed to be the SpyEye Trojan and contained advanced man-in-the-browser functionality. The Trojan contained a list of trigger URLs targeting over 200 organizations as well as automated cashout capabilities to mule accounts.

By blocking access to Trojan resources, the risk to organizations is greatly reduced. Blocked infection points reduce the chances of additional victims getting infected. Blocked update points decrease the chances of infected victims being redirected to new, updated locations. Blocked drop points effectively prevent any victims who might already be infected from transmitting information to a criminal.

Shutdown of Trojan communication resources is more complicated, however. Issues such as foreign working hours, foreign holidays and language barriers must be taken into consideration. In addition, malware is much less “visible” than phishing and more complicated due to the thousands of variants that exist. Before shutdown can begin, there are several factors to consider, such as the ability to recover credentials and evolution of the malware itself.

Credential recovery and forensics is especially key in attempting to extract additional valuable information such as lists of compromised personal information, as well as counts of submitted information, the IP address of victims, the malware binaries and more. Recovery and forensics is also important for working with the law enforcement community. Due to a lack of resources, some law enforcement agencies may not handle a case without proof that it is big enough to potentially harm a large number of victims. In this particular attack, shutdown was performed for the infection, update and drop points.

To date, RSA has shut down over 450,000 phishing attacks and 80,000 Trojan attacks on behalf of customers worldwide.

Phishing Attacks per Month

Phishing attacks identified by RSA hit a new record high of 25,191 in July. The AFCC has witnessed an overall increase in phishing attacks over the past few months. This increase that can be partially attributed to repeated attacks on a group of large financial institutions, which have been heavily targeted recently. Hijacked websites remain the most commonly used method of hosting phishing attacks.

Number of Brands Attacked

Last month, the number of brands attacked decreased by eight percent, dropping from 349 in June to 321 in July. In addition, 13 brands encountered their first phishing attack last month.

U.S. Bank Types Attacked

The portion of nationwide U.S. banks targeted by phishing dropped by two percent in July, yet this sector still remains as the most highly targeted by cybercriminals. Nationwide banks are likely considered more lucrative by phishers as their customer base is widely dispersed. Since most phishing attacks are distributed via massive spam mailing lists that are not region-specific, the probability of a spam recipient being a consumer of a nationwide brand is likely to be higher.

Top Hosting Countries

The U.S. hosted 53 percent of worldwide attacks in July while Canada and Germany each hosted five percent and the UK hosted four percent.

Top Countries by Attack Volume

The U.S. and the UK remain the countries targeted by the largest volume of attacks – accounting for over 75 percent of attacks in July. Interestingly, Brazil was one of the top three countries targeted by phishing in July – experiencing 5 percent of the attack volume last month.

Top Countries by Attack Brands

The top 10 countries by attacked brands stayed the same in July. Brands in the U.S. and UK are still most preferred by cybercriminals, accounting for over 40 percent of targeted brands last month followed by Italy, Australia, Brazil, Canada, and India.

The full report can be found here.