Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

citadel

RSA’s August Online Fraud Report 2012 including a summary of Fraud as a Service (FaaS)

In their August Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below.

A five-year retrospect on Fraud as a Service (FaaS) reveals that the types of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.

Underground criminals buy and sell goods and services around the clock. The fact that these markets operate online eliminates borders and physical distance, allowing people from different parts of the world to wheel-and-deal and to partner-up in the orchestration of fraud cash-out cycles without ever meeting or speaking on the phone.

What do they sell?

For phishing – scam pages, complex phishing kits and custom kit plugins, spamming services, email databases, junk traffic, SEO poisoning, email cracking tools, spam software, and SMS spoofers, to name a few. After the attacker gathers the spoils, fraudsters can opt to buy the already-harvested databases of phishing attacks or purchase unitary ‘logins’ in an online shop selling compromised data.

For botmasters –  Trojan-related facilitators exploit kits, malware spam, botnets, Trojan kits, HTML injections, customized malicious code, encryption services, bulletproof hosting, pay-per-installs/affiliate infection schemes, plugins, set-up and tech support.

Hardly ever does one fraudster take on the complete fraud cycle; rather, fraudsters opt to partner with more experienced criminals or offer up their own expertise (such as performing in-store pick up of goods obtained with stolen credit card data). Much like real-world crime, each actor ‘gets his hands dirty’ to different extents. Bottom line – the fraudulent transaction is turned into cash in different ways and the profits are shared among those involved.

Those who don’t have any trustworthy connections in the world of fraud find and use transfer and cash-out services. Money mule, cash-out services and Item-drop mules have become ever so popular, that some vendors have already automated them for those who attempt the bulk of transactions each day bot herders and ‘carders’.

Almost all busy criminals today connect with a mule repository operator and have their fraudulent transactions go through the vendor’s mules, receiving a cut of each successful transaction as per a mutual agreement. Some cases of mule-repositories are part of the fraud cycle of one gang.

Recent underground fraud services:-

Hire a “Man-in-the-Middle”

One of the more interesting recent FaaS offers was found in an underground forum, posted by a Russian-speaking member offering his infrastructure for very temporary hire, alongside his own services as a man-in-the-middle facilitator. The botmaster had a few perks for customers who wish to attempt Trojan attacks without having to set up anything whatsoever:

  • Rent the infrastructure – gain access to infected bots
  • Pay to target and harvest – send over a trigger and a Trojan injection and those will be pushed to existing infected bots on the botnet (through a Trojan configuration file update)
  • Pay to attack – the botmaster will facilitate fraudulent transaction attempts using his Trojan’s remote administration access to bots

Buy a Botnet

The vendor behind this offer was also working in collaboration with other cybercriminals, each offering a related service a bot herder would need for the set up and operation of a botnet.

Automated Customer Support

In the recent past, Trojan developers only offered support via live chat using instant messaging services (Jabber, ICQ). A developer could only support a limited number of chats until the burden of supporting his customers became too great and support deteriorated or stopped altogether.

Trojan developers did understand the substantial need for customer/technical support and took pains to find new ways to preserve their customer base. To get an idea about just how ‘real’ customer support has become, take a quick look at this SpyEye vendor’s page. Notice the headers on the page; much like legitimate software companies – they direct users to an FAQ page, an “About SpyEye” section, and provide a detailed web form that can be sent directly to the vendor’s alleged support team, automating the process.

Many of today’s fraud service vendors put strong emphasis on supporting their buyers, offering guarantees and assistance, from the exchange of faulty or invalid cards and access credentials, all the way to providing set-up, tutorials, and tech support to those who have to operate on going online fraud operations (botnets, CC shops, exploits etc.).

One cannot mention excellent cybercrime customer support today without “Citadel” coming to mind. The team developing the Citadel Trojan has long established itself as the new go-to crimeware vendor, well on their way to inheriting the Zeus Trojan market share they built upon. The most unique feature this team offers to botmasters using Citadel is a clever CRM model that supports, tickets, listens and advises members on how to set up and operate their Trojans. The CRM is not optional! All botmasters must join it and pay a fixed monthly fee for their membership.

RSA’s conclusion

A better cybercrime marketplace, much like organized crime in the physical world, increasingly affects the world’s economy by the sheer amounts of money it taxes it every year. The worst part about this dark economy is its faceless, covert nature and thus the hardship in quantifying and understanding the extent of its damage.

Stronger crime economies are a burden on the legitimate economy in hard costs but do not stop there. This large scale clandestine operation also affects crime statistics and touches real-life aspects of law enforcement and the legal system. Due to cybercrime’s global, scattered nature, fighting it often requires internationally coordinated investigations and arrests, further taxing the resources of each nation touched by digital crimes.

Phishing Attacks per Month

Phishing attacks in July increased 14% from June, marking yet another high of 59,406 attacks in a single month. In examining an overall spike in attacks, the bulk of last month’s increase can be attributed to highly targeted phishing campaigns launched against a series of financial institutions in Europe.

Number of Brands Attacked

In July, a total of 242 brands were targeted with phishing attacks, marking a 7% drop from June. As compared to July 2011, last month’s list of phishing targets demonstrates a 25% year-over-year drop in the number of targeted brands.

US Bank Types Attacked

There was very little change in how the U.S. banking sector was targeted by phishing in July. Nationwide banks still continue to be targeted by about three out of every four phishing attacks. This reflects the tendency of cybercriminals to attack larger financial institutions.

Top Countries by Attack Volume

For the fifth consecutive month, the UK was targeted by the highest volume of phishing attacks, followed by the U.S. and Canada. The UK endured 70% of worldwide attacks, its highest portion ever.

Top Countries by Attacked Brands

Although the UK was targeted by 70% of phishing volume in July, the U.S. continues to be the country with the greatest number of targeted brands. Brands in the U.K., Brazil, India, and Australia collectively were targeted by 27% of attacks in July.

Top Hosting Countries

The U.S. hosted 79% of worldwide phishing attacks last month, its highest portion to date according to the RSA Anti-Fraud Command Center. Canada, the UK and Germany accounted for hosting an additional 10% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Advertisements

RSA’s April Online Fraud Report 2012

In their April Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Citadel Trojan.

Citadel Trojan hooks system processes to isolate bots from AV and security.

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version 1.3.3.0, which was shared with its customer-base on March 15th.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature they have apparently implemented: DNS Redirection. Per the feature list, the developer claimed that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

To add value for their customers, the developers went the extra mile to add a list of AV software providers and security scans to the DNS redirection lists embedded into the configuration. On a change-log posting from the team, the developer specified that at least 104 different security-vendor URLs were added to this feature.

RSA researchers were able to confirm that the DNS-redirection method embedded into the Citadel configuration file was not a feature available in the original Zeus Trojan; it is new programming, courtesy of the Citadel team.

The Citadel Trojan’s configuration contained more than 650 different URLs of a large variety of AV-providers and security scanning services based out of different countries (USA, DE, RU and more). Each ‘forbidden’ URL was followed by a “=” mark and the IP mask address to which the botmaster wants the victim rerouted.

Another interesting feature analyzed by RSA researchers appeared in a Citadel variant, raising questions as to redirection scheme to Citadel resources. At first sight, the analysis result seemed somewhat peculiar, showing that Citadel was using legitimate URLs as its C&C’s drop point as well as the configuration update point (Google, CNET).

Phishing Attacks per Month

After a brief peak in phishing that came in the beginning of the year, the two months which followed have shown a slight decrease. February marked a 30% drop in worldwide phishing volume and March followed with another 9% drop with 19,141 unique phishing attacks identified by RSA in March. When compared year over year, March 2012 saw a 9% increase from the phishing volume in March 2011.

Number of Brands Attacked

The number of brands targeted through March increased 8% compared to February, standing at a total of 303 brands targeted by phishing attacks.

US Bank Types Attacked

There was a considerable increase in the phishing volume experienced by U.S. regional banks last month – increasing from just 7% in February to 30% in March. Meanwhile, attacks against U.S. nationwide banks decreased 24%. This isn’t surprising as phishers tend to alternate their cashout schemes by aiming at the small and regional institutions as well.

Top Countries by Attack Volume

The most prominent change in March in attack volume was the 23% increase for the UK and a 24% decrease for Canada. Overall, the countries that are consistently targeted most by phishing attacks include the U.S., UK, Brazil, Canada, the Netherlands and South Africa.

Top Countries by Attacked Brands

In March, about three out of ten attacks were targeted at brands in the U.S and one out of ten targeted at brands in the UK. This is not surprising as these two countries also continue to see the most volume of phishing attacks overall.

Top Hosting Countries

The U.S. hosted just slightly over half of the phishing attacks identified in March. 8% of attacks were hosted in Brazil, showing a 5% increase from February. Sixty other countries were responsible for hosting 17% of phishing volume in March.

Previous RSA Online Fraud Report Summaries:

  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s March Online Fraud Report

In their March Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Zeus and Citadel Trojans as cybercriminals “migrating” from one Trojan botnet to another.

FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, Citadel infrastructures.

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.

GOODBYE ZEUS?

Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus”. The last real Zeus was, Zeus 2.0.8.9. Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.

Phishing Attacks per Month

While 2012 kicked off with an increase of over 40% in global phishing attacks, February marked a 30% drop – with only 21,030 phishing attacks detected. After five consecutive months of being heavily targeted, the UK finally got replaced by the U.S. as the country enduring the most phishing volume.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in February. Of those targeted brands, 53% endured less than five attacks (150 brands) and 47% endured five attacks or more (131 brands).

US Bank Types Attacked

U.S. nationwide brands and regional banks both saw an eight percent increase in phishing attacks in February while credit unions saw a 16% drop in attacks.

Top Countries by Attack Volume

Following five consecutive months during which the UK topped the chart as the country that absorbed the highest volume of phishing, the U.S. topped the chart once again in February with 35% of global phishing volume. Just as surprising, Canada made an unexpected leap. After accounting for only 4% of worldwide attacks in January, Canada accounted for a 27% of the world’s phishing attacks in February.

Top Countries by Attacked Brands

The U.S. and UK remained the countries with the highest number of attacked brands in February with 42%, followed by Australia, India, Italy and Canada who together accounted for 17% of attacked brands.

Top Hosting Countries

The share of phishing attacks hosted by the U.S. dropped significantly this month, falling from 82% in January to 46% in February. In January, six countries accounted for hosting about 90% of global phishing attacks, while in February, we witnessed 17 countries share that same portion of hosting.

See the full report on the RSA website.

Previous RSA Online Fraud Report Summaries:

  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: