Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Citadel Trojan

RSA’s December Online Fraud Report 2012 including an excellent piece on Ransomware

RSA’s December Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below. 

Ransomware is a type of Trojan/malware that can lock files on an infected machine and restrict access to the computer unless the user pays a “ransom” for the restrictions to be removed

Infection campaigns and methods used by Ransomware are identical to those used for any other malware/Trojan infection. For example, recent Ransomware campaigns infected users via the Blackhole exploit kit; another campaign relied on drive-by-downloads via malicious tags in news sites and forums. 

Ransomware campaigns can take on a variety of forms. One of the most common scams is using fake anti-virus programs, making a user believe their computer is infected with unwanted software that can only be removed by purchasing the attacker’s special anti-virus program. However, Ransomware campaigns can take on a number of forms including bogus messages from law enforcement or even a recent example in Australia where a medical clinic’s patient records were targeted unless the clinic paid the attackers $4,200. 

Although victims are promised their files will be unlocked once they pay the “fine”, in most cases the botmaster cannot control the infected bot and the files/computer will remain locked (depending on the malware’s function). 

In order for criminals to remain untraceable, Ransomware payments must be kept anonymous and these Trojans’ operators prefer prepaid payment cards/vouchers (available at retail locations in the US, Europe and now in Arabic-speaking countries as well). It appears that Ransomware is a flourishing business in the cybercrime arena since this type of malware has been proliferating, and attack numbers are on the rise. Ransomware is so popular that although this Winlock type malware can come as a standalone piece, nowadays it is often coupled with other Trojan infections to add monetization schemes to new and existing botnets. Ransom components are sold as ‘plugins’ for some of the well-known banking Trojans including Citadel, Carberp, ICE IX, Zeus, and SpyEye. 

New commercial Ransomware

A recent variant analyzed by RSA researchers revealed a new type of Ransomware, dubbed “Multi-Locker” by its operators. This malware appears to be a commercial creation, destined for sale to cybercriminals interested in launching infection campaigns to spread it. The Multi-Locker ransom and botnet administration control panel were written by a Russian-speaking blackhat, based on a peer’s existing code (the “Silent locker” Trojan). Much like other known Ransomware codes, the malware comes with adapted HTML lock pages designed to appear per each user’s IP address’ geo-location. The pages display in the corresponding language, naming the local national police and demanding ransom in the local currency ($/€/£/other) via prepaid cards/vouchers available in that country.

Multi-Locker is available to cybercriminals through a vendor in underground fraud communities. The malware was announced in the underground in the beginning of October 2012 and offered for sale at USD $899 per kit. In the ad, the vendor guarantees the locking of files on Windows-based machines running any version of Windows, from 2003 to Windows 8. 

Most ransom Trojans to date have been designed to accept prepaid cards or vouchers issued in the US and Europe. Multi-Locker’s vendors are adding their research regarding prepaid media used in Arabic-speaking countries and assure buyers that they will enrich their knowledge to enable them to easily cash out the funds at the end of the line. 

Multi-locker Botnet and control panel

Unlike the majority of ransom Trojans, the Multi-Locker Ransomware was designed with a main point of control that can manage some of the activity of infected bots. The basic control interface shows botmasters some basic statistics such as the total number of bots on that botnet and the payments that come in from each bot. The botnet interface parses each payment made according to the prepaid card type the victim provides.

The panel also displays the botnet’s conversion rate (how many successful infections/ locks out of the entire campaign) at any given moment by showing the total number of lock pages loaded versus the number of bots (that ratio hovering around 20%). 

New features coming soon: DNS-Locker

The most interesting module this Trojan offers is apparently yet to come: DNS Internet Locker. The DNS Locker will be a restriction that will take over the Internet browser, forcing to only display the Ransomware Operator’s HTML lock page, demanding payment for the browser to be released. 

The vendor is very boastful about having researched solutions online and having found none that can help infected users find a way to rid their machines from the malware, adding that even starting the computer in sage mode will not remedy the lock, guaranteeing the future DNS Locker will work on even the newest versions of Windows. 

RSA’s Conclusion

Ransomware were first seen coming from Russia 2005-6 and have since evolved in terms of tactics and scope. Ransomware Malware is particularly lucrative to botmasters operating out of Eastern Europe as almost all were written by Russian-Speaking coders and sold by Russian-Speaking vendors in the Fraud Underground.

Ransomware’s success rate may differ in each country/geography, according to the number of users who decide for the unlocking of the PC. Unfortunately the numbers for this type of attack continue to grow as online users are not very aware of the threat and may attempt to resolve the issue on their own by providing payment to the botmasters.

Phishing Attacks per Month

In November, RSA identified 41,834 unique phishing attacks launched worldwide, making a 24% increase in attack volumes from October. The growth in attacks in November is mostly attributed to the online holiday shopping season as fraudsters try to leverage this time of year to lure victims.

Number of Brands Attacked

In November, 284 brands were targeted in phishing attacks, marking a 6% decrease from October. Of the 284 brands attacked 45% endured 5 attacks or less.

US Bank Types Attacked

Nationwide banks continued to be the most targeted by phishing in November, experienced nearly 80% of all attack volumes.

Top Countries by Attack Volume

In November the US was targeted by 42% of total phishing volume. The U.K accounted for 20% of the attack volume, with India emerging as the third most targeted by volume with 7% of all global attacks. India replaced Canada who saw a significant decrease, from 27% of total attack volumes in October to just 4% in November.

Top Countries by Attacked Brands

In November, the countries that featured the greatest number of targeted brands were the U.S. (30%), still leading by a wide margin, followed by the UK with 11%. Though absorbing a relatively small number of attacks in November, Brazilian brands ranked third of the most targeted with 6%, attesting to the diversity of attacked brands in the country.

Top Hosting Countries

Despite a 6% drop in the month prior, the U.S. continues to be the top hosting country for phishing attacks; one out of every two attacks in November was hosted in the U.S. France was the second top host, accounting for 7% of phishing attacks in November, most of which were hosted by a single ISP.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s March Online Fraud Report

In their March Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Zeus and Citadel Trojans as cybercriminals “migrating” from one Trojan botnet to another.

FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, Citadel infrastructures.

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.

GOODBYE ZEUS?

Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus”. The last real Zeus was, Zeus 2.0.8.9. Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.

Phishing Attacks per Month

While 2012 kicked off with an increase of over 40% in global phishing attacks, February marked a 30% drop – with only 21,030 phishing attacks detected. After five consecutive months of being heavily targeted, the UK finally got replaced by the U.S. as the country enduring the most phishing volume.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in February. Of those targeted brands, 53% endured less than five attacks (150 brands) and 47% endured five attacks or more (131 brands).

US Bank Types Attacked

U.S. nationwide brands and regional banks both saw an eight percent increase in phishing attacks in February while credit unions saw a 16% drop in attacks.

Top Countries by Attack Volume

Following five consecutive months during which the UK topped the chart as the country that absorbed the highest volume of phishing, the U.S. topped the chart once again in February with 35% of global phishing volume. Just as surprising, Canada made an unexpected leap. After accounting for only 4% of worldwide attacks in January, Canada accounted for a 27% of the world’s phishing attacks in February.

Top Countries by Attacked Brands

The U.S. and UK remained the countries with the highest number of attacked brands in February with 42%, followed by Australia, India, Italy and Canada who together accounted for 17% of attacked brands.

Top Hosting Countries

The share of phishing attacks hosted by the U.S. dropped significantly this month, falling from 82% in January to 46% in February. In January, six countries accounted for hosting about 90% of global phishing attacks, while in February, we witnessed 17 countries share that same portion of hosting.

See the full report on the RSA website.

Previous RSA Online Fraud Report Summaries:

  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: