Brian Pennington

A blog about Cyber Security & Compliance



RSA’s August 2013 Online Fraud Report featuring a review of “phish lockers”

RSA’s August 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name.

This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections.

Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time.

Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware’s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don’t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera.

The first visible action that the user will see is the browser window being shut down, then the desktop’s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page.

The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user’s mobile number.

When banking Trojans infect user machines, they are present on the device and can log a user’s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using pre-defined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as email.

In order to facilitate sending emails from the infected PC, the malware’s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason.

Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker’s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control.

RSA’s conclusion

It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced.

This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done.

Phishing Attacks per Month

RSA identified 45,232 phishing attacks launched worldwide in July, marking a 26% increase in attack volume in the last month.

US Bank Types Attacked

National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month.

Top Countries by Attack Volume

The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France, Canada, South Africa and Italy were collectively targeted by 15% of phishing volume.

Top Countries by Attacked Brands

U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and China together endured one-quarter of phishing attack volume.

Top Hosting Countries

The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by Canada, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks.

Previous 3 RSA Online Fraud Report Summaries

RSA’s April Online Fraud Report 2012

In their April Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Citadel Trojan.

Citadel Trojan hooks system processes to isolate bots from AV and security.

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version, which was shared with its customer-base on March 15th.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature they have apparently implemented: DNS Redirection. Per the feature list, the developer claimed that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

To add value for their customers, the developers went the extra mile to add a list of AV software providers and security scans to the DNS redirection lists embedded into the configuration. On a change-log posting from the team, the developer specified that at least 104 different security-vendor URLs were added to this feature.

RSA researchers were able to confirm that the DNS-redirection method embedded into the Citadel configuration file was not a feature available in the original Zeus Trojan; it is new programming, courtesy of the Citadel team.

The Citadel Trojan’s configuration contained more than 650 different URLs of a large variety of AV-providers and security scanning services based out of different countries (USA, DE, RU and more). Each ‘forbidden’ URL was followed by a “=” mark and the IP mask address to which the botmaster wants the victim rerouted.

Another interesting feature analyzed by RSA researchers appeared in a Citadel variant, raising questions as to redirection scheme to Citadel resources. At first sight, the analysis result seemed somewhat peculiar, showing that Citadel was using legitimate URLs as its C&C’s drop point as well as the configuration update point (Google, CNET).

Phishing Attacks per Month

After a brief peak in phishing that came in the beginning of the year, the two months which followed have shown a slight decrease. February marked a 30% drop in worldwide phishing volume and March followed with another 9% drop with 19,141 unique phishing attacks identified by RSA in March. When compared year over year, March 2012 saw a 9% increase from the phishing volume in March 2011.

Number of Brands Attacked

The number of brands targeted through March increased 8% compared to February, standing at a total of 303 brands targeted by phishing attacks.

US Bank Types Attacked

There was a considerable increase in the phishing volume experienced by U.S. regional banks last month – increasing from just 7% in February to 30% in March. Meanwhile, attacks against U.S. nationwide banks decreased 24%. This isn’t surprising as phishers tend to alternate their cashout schemes by aiming at the small and regional institutions as well.

Top Countries by Attack Volume

The most prominent change in March in attack volume was the 23% increase for the UK and a 24% decrease for Canada. Overall, the countries that are consistently targeted most by phishing attacks include the U.S., UK, Brazil, Canada, the Netherlands and South Africa.

Top Countries by Attacked Brands

In March, about three out of ten attacks were targeted at brands in the U.S and one out of ten targeted at brands in the UK. This is not surprising as these two countries also continue to see the most volume of phishing attacks overall.

Top Hosting Countries

The U.S. hosted just slightly over half of the phishing attacks identified in March. 8% of attacks were hosted in Brazil, showing a 5% increase from February. Sixty other countries were responsible for hosting 17% of phishing volume in March.

Previous RSA Online Fraud Report Summaries:

  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


Create a free website or blog at

Up ↑

%d bloggers like this: