Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Phish

RSA’s April Online Fraud Report 2013, with a focus on the changes in Phishing tactics

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online.

In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.

Another similar example is reflected in time-delayed attacks again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more making them more likely to check out a link they received via email that day.

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –Switching letters, as in bnak or bnk for “bank”, adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey” – Swapping visually similar letters

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.

RSA’s Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.

Phishing Attacks per Month

In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.

.

Advertisements

RSA’s July Online Fraud Report 2012

In their July Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

Phishing attacks continue to increase around the world. In the first half of 2012, the RSA Anti-Fraud Command Center identified 195,487 unique phishing attacks, an increase of 19% as compared to the second half of 2011.

Global fraud losses down despite a 19% increase in phishing attacks

Despite the increase, however, fraud losses from phishing are on the decline. RSA estimates that phishing attacks in the first half of 2012 could have potentially caused $687 million in total losses to global organizations. It is also worth reading my previous post “A new report indicates that UK fraud has fallen by 50% in the last 12 months…”.

So why are fraud losses decreasing? One reason is that the industry is simply getting better at fighting back. A major factor in determining fraud losses caused by phishing is measuring the lifespan of an attack. The longer an attack is live, the more victims there are that are potentially exposed and at risk of having their credentials stolen. By reducing the lifespan of a phishing attack through early detection and shutdown, organizations narrow the window of opportunity for cybercriminals to commit fraud.

In the first half of 2012, the top ten countries that experienced the highest volume of phishing attacks include:

  1. United Kingdom
  2. United States
  3. Canada
  4. Brazil
  5. Netherlands

There have been major increases in phishing attack volume in some countries, while in other countries, it has declined slightly. One of the most significant increases was in Canada where phishing increased nearly 400% in the first half of 2012. There have been many observations as to why the sharp increase, but the main reason is simply economics, fraudsters follow the money. See my previous blog “Criminal logic; follow the money and find easy targets”. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become a lucrative target for cybercrime.

On the other hand, the U.S. experienced a 28% decline in phishing volume in the first half of the year. Other countries that have seen phishing volume decrease include Brazil, the Netherlands, Germany, Australia and South Africa.

Phishing Attacks per Month

In June 2012, phishing volume grew considerably. RSA identified 51,906 unique phishing attacks, a 37% increase. The recent spike in phishing volume can be partly attributed to the advanced technology and fraud services offered by cybercriminals in the underground including ready-made spam databases, custom coded malware designed to automate site hijacking and the hosting of malicious pages, as well as sophisticated spambot services.

Number of Brands Attacked

Despite the huge spike in phishing volume, the number of brands targeted by phishing attacks throughout the month of June decreased 13%.

US Bank Types Attacked

In the U.S. financial sector, nationwide bank brands saw a 16% increase in phishing volume in June while credit union brands saw a 10% decrease and regional bank brands saw a 6% decrease.

Top Countries by Attack Volume

The UK endured the largest volume of phishing attacks in June, despite seeing a drop of 21% in attack volume (from 63% to 42%). Canada was the country with the second largest volume of attacks, with a considerable increase from 3% to 29% in June. A surprising newcomer, Norway, experienced 2% of phishing volume.

Top Countries by Attacked Brands

The U.S., UK and Australia remain the three countries whose brands are most affected by phishing – targeted by 43% of phishing attacks in June. Brands in India, Brazil, Canada, Italy and China also remained heavily targeted by phishing in June.

Top Hosting Countries

The U.S. continues to be the country that hosts the most phishing attacks. In June, six out of every ten phishing attacks were hosted in the U.S. Russia and Poland – both newcomers to the Top Hosting Countries list – hosted 5% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

RSA’s June Online Fraud Report 2012

In their June Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

RSA researchers have been following Ransomware campaigns and Ransomware Trojan attack waves and have recently analyzed a new variant that holds infected PCs hostage until their owners make a €100 payment to the botmaster.

Ransomware is the type of malware that can infect a PC and then lock the user’s data most commonly by encrypting files or by injecting a rogue MBR (master boot record) to the system’s start-up routine.

Ransomware can come as standalone malicious code or coupled with other malware. This type of malicious campaign has been on the rise and are ever popular, with many recent cases combining banking Trojans with Ransomware. While the user’s files are typically locked until the ransom is paid, the victim is still free to browse the Internet, thus allowing the banking Trojan to continue collecting information on the victim uninterrupted.

The Trojan involved in the cases studied by RSA is a Ransomware that begins by checking for the future victim’s geo-location and adapting a ransom page to the local language for thirteen different countries. The fact that this malware aims at 13 specific countries may seem targeted enough at first sight, but it is only the case of one variant – if this malware is shared or sold with other criminals, they could easily adapt it to their own targets.

RSA researchers were able to recognize 13 different ransom kits available for this Trojan. All kits are located in the same folder, where some countries have two different types of images that can be downloaded and used by the Ransomware (in cases when more than one language is spoken in that country, such as Belgium).

After the Ransomware kit infected the PC, it was downloaded and unpacked locally. This is the point at which the Trojan begins its primary communication with the botmaster’s remote server.

The communication includes three main purposes:

  1. Inform the botmaster of the addition of a new bot, send infected machine’s IP address (and then used to define the infected PC’s physical location)
  2. Obtain a blacklist of potentially fake prepaid card/voucher numbers defined by the botmaster
  3. Ping the botmaster to use the C&C as a drop for the coming ransom payment (in the shape of a card PIN/voucher number)

This Trojan also makes a few copies of itself and saves them under different names locally on the infected PC.

Much like other Trojans, this Ransomware is managed via server side scripts on the botmaster’s resources. The variant analyzed in this case used four resources, all of which were located on the same physical server, using two different IP addresses held with a Russian-based ISP – typical for the vast majority of Ransomware.

RSA was able to deduce that the Ransomware analyzed is actually part of a larger cybercrime operation. The botmasters behind this malware variant are clearly bot-herding and monetizing their botnets using a loader Trojan, banking Trojans and Ransomware variants. The server hosting the Ransomware has proven to also be a drop zone for stolen credentials amounting to well over €80,000.

RSA Conclusion

Ransomware has been gaining speed among cybercriminals and bot-herders, likely because this extortion method works and keeps paying off, as victims believe that if they pay, their system will be unlocked.

With ransom amounts averaging €100, it seems as though botmasters behind these scams keep the fee relatively low, possibly so that the victim may prefer to pay it in hopes of releasing the hold on their PC rather than contact a support professional. Another factor keeping victims quiet are typical Ransomware accusations, including things such as software and music infringement. It is very possible that users do not know they were infected by malware and are not keen on contacting someone about it, thus allowing this type of malware to enjoy its continued popularity.

Phishing Attacks per Month

In May 2012, phishing volume increased by 7%, with a total of 37,878 global attacks identified by RSA. The bulk of the increase observed in the past two months is a result of highly targeted phishing campaigns launched against a small number of financial institutions.

Number of Brands Attacked

The number of brands targeted by phishing attacks throughout May increased by 4%, and 50% endured less than five attacks.

Types Attacked

Phishing attacks against U.S. nationwide bank brands decreased by 20% while credit unions saw a 13% increase in phishing volume in May.

Top Countries by Attack Volume

After being targeted by 28% of worldwide attacks in April, Canada saw a huge drop in attack volume in May to just 3%. The UK remains the most heavily targeted country for the third consecutive month, enduring more than 60% of global phishing volume in May.

Top Countries by Attacked Brands

The countries with the most attacked brands in May were the U.S., UK, and Australia, accounting for 47% of all phishing attacks. Brands in Brazil, India, Canada, China, France and Italy also continue to remain highly targeted by phishing.

Top Hosting Countries

The U.S. saw an increase of10% in the number of phishing attacks it hosted in May – increasing to 66%, or two out of every three attacks. Brazil also remained a top host with 9% and Germany with 4%.

Previous RSA Online Fraud Report Summaries:

  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

RSA’s April Online Fraud Report 2012

In their April Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Citadel Trojan.

Citadel Trojan hooks system processes to isolate bots from AV and security.

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version 1.3.3.0, which was shared with its customer-base on March 15th.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature they have apparently implemented: DNS Redirection. Per the feature list, the developer claimed that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

To add value for their customers, the developers went the extra mile to add a list of AV software providers and security scans to the DNS redirection lists embedded into the configuration. On a change-log posting from the team, the developer specified that at least 104 different security-vendor URLs were added to this feature.

RSA researchers were able to confirm that the DNS-redirection method embedded into the Citadel configuration file was not a feature available in the original Zeus Trojan; it is new programming, courtesy of the Citadel team.

The Citadel Trojan’s configuration contained more than 650 different URLs of a large variety of AV-providers and security scanning services based out of different countries (USA, DE, RU and more). Each ‘forbidden’ URL was followed by a “=” mark and the IP mask address to which the botmaster wants the victim rerouted.

Another interesting feature analyzed by RSA researchers appeared in a Citadel variant, raising questions as to redirection scheme to Citadel resources. At first sight, the analysis result seemed somewhat peculiar, showing that Citadel was using legitimate URLs as its C&C’s drop point as well as the configuration update point (Google, CNET).

Phishing Attacks per Month

After a brief peak in phishing that came in the beginning of the year, the two months which followed have shown a slight decrease. February marked a 30% drop in worldwide phishing volume and March followed with another 9% drop with 19,141 unique phishing attacks identified by RSA in March. When compared year over year, March 2012 saw a 9% increase from the phishing volume in March 2011.

Number of Brands Attacked

The number of brands targeted through March increased 8% compared to February, standing at a total of 303 brands targeted by phishing attacks.

US Bank Types Attacked

There was a considerable increase in the phishing volume experienced by U.S. regional banks last month – increasing from just 7% in February to 30% in March. Meanwhile, attacks against U.S. nationwide banks decreased 24%. This isn’t surprising as phishers tend to alternate their cashout schemes by aiming at the small and regional institutions as well.

Top Countries by Attack Volume

The most prominent change in March in attack volume was the 23% increase for the UK and a 24% decrease for Canada. Overall, the countries that are consistently targeted most by phishing attacks include the U.S., UK, Brazil, Canada, the Netherlands and South Africa.

Top Countries by Attacked Brands

In March, about three out of ten attacks were targeted at brands in the U.S and one out of ten targeted at brands in the UK. This is not surprising as these two countries also continue to see the most volume of phishing attacks overall.

Top Hosting Countries

The U.S. hosted just slightly over half of the phishing attacks identified in March. 8% of attacks were hosted in Brazil, showing a 5% increase from February. Sixty other countries were responsible for hosting 17% of phishing volume in March.

Previous RSA Online Fraud Report Summaries:

  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s March Online Fraud Report

In their March Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

As well as the usual interesting statistics on fraudulent activity this report sheds light on the changes to the Zeus and Citadel Trojans as cybercriminals “migrating” from one Trojan botnet to another.

FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, Citadel infrastructures.

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.

GOODBYE ZEUS?

Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus”. The last real Zeus was, Zeus 2.0.8.9. Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.

Phishing Attacks per Month

While 2012 kicked off with an increase of over 40% in global phishing attacks, February marked a 30% drop – with only 21,030 phishing attacks detected. After five consecutive months of being heavily targeted, the UK finally got replaced by the U.S. as the country enduring the most phishing volume.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in February. Of those targeted brands, 53% endured less than five attacks (150 brands) and 47% endured five attacks or more (131 brands).

US Bank Types Attacked

U.S. nationwide brands and regional banks both saw an eight percent increase in phishing attacks in February while credit unions saw a 16% drop in attacks.

Top Countries by Attack Volume

Following five consecutive months during which the UK topped the chart as the country that absorbed the highest volume of phishing, the U.S. topped the chart once again in February with 35% of global phishing volume. Just as surprising, Canada made an unexpected leap. After accounting for only 4% of worldwide attacks in January, Canada accounted for a 27% of the world’s phishing attacks in February.

Top Countries by Attacked Brands

The U.S. and UK remained the countries with the highest number of attacked brands in February with 42%, followed by Australia, India, Italy and Canada who together accounted for 17% of attacked brands.

Top Hosting Countries

The share of phishing attacks hosted by the U.S. dropped significantly this month, falling from 82% in January to 46% in February. In January, six countries accounted for hosting about 90% of global phishing attacks, while in February, we witnessed 17 countries share that same portion of hosting.

See the full report on the RSA website.

Previous RSA Online Fraud Report Summaries:

  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s January 2012 Online Fraud Report

Below is a summary of RSA’s Jnauary 2012 Online Fraud Report:-

PHISHING IS A NUMBERS GAME

In 2011, approximately one in every 300 emails circulating the web was deemed to contain elements pointing to phishing. Most phishing content targeted the public sector, which was followed by the SME business sector.

Compared with the total numbers of phishing attacks recorded in 2010, phishing numbers have increased considerably through the past year. The cumulative number of phishing attacks recorded through 2011 was 279,580—a 37% increase from 2010.

In 2011, phishing attacks also received better coverage around the globe, with brands targeted from 31 different geographies and phishing emails communicated in 16 different languages – reaching an even more diverse crowd of Internet users. The top countries in which the most brands were attacked include: the U.S., the UK, Australia, Canada, India, and Brazil.

CONCLUSION

Looking at the year in phishing, it is clear that phishing has become easier than ever before with more automated toolkits available. In fact, some cybercriminals are known to invest all their efforts into phishing attacks only. On average, every phishing attack yields a $4,500 profit in stolen funds for the fraudster, a number which keeps this work-from-home endeavor rather lucrative.

Attack numbers have been increasing annually, and although phishing is one of the oldest online scams, and user awareness is higher than ever, it seems that web users still fall for phishing, unknowingly parting with their credentials over convincing enough replicas of websites they have come to trust.

With the ease of production and the enhanced quality of today’s attacks, the forecasted outlook for 2012 calls for yet another year riddled with hundreds of thousands of phishing attacks worldwide. As the phenomenon continues to spread, it stands to reason that phishing will move on to even more geographies, target more brands and be spread in more languages in 2012.

Phishing Attacks per Month

In December, phishing volumes decreased 26 percent with 21,119 unique phishing attacks identified by RSA worldwide. The UK continued to be country most targeted by phishing attacks in December, suffering 50 percent of global volume while the U.S. continued to be the top hosting country – hosting 52 percent of the world’s phishing attacks in December.

Number of Brands Attacked

In December, 256 brands were targeted through phishing attacks, marking an 18 percent decrease from November. The number of new brands attacked for the first time decreased from 13 brands in November to six brands in December.

US Bank Types Attacked

Last month, the portion of brands targeted in the U.S. credit union sector decreased three percent as did the portion of brands targeted by phishing in the U.S. regional banks sector (decreasing seven percent). The portion of attacked brands representing U.S. nationwide banks increased ten percent from 76 percent to 86 percent. This represents the highest portion of brands in the U.S. nationwide banking sector targeted by phishing in the last year.

Top Countries by Attack Volume

The UK was the country most targeted by phishing once again in December – targeted by 50 percent of all attacks – for the fourth consecutive month. The U.S. was the second most targeted country with 28 percent of all phishing attacks.

Since this time last year, the top five countries that have endured the highest volume of phishing include the UK, the U.S., South Africa, Canada and Brazil. In terms of the languages used in phishing attacks, English is still the most dominant, followed by Portuguese, Spanish and Dutch.

Top Countries by Attacked Brands

Together, the U.S. and UK accounted for 43 percent of the world’s targeted brands, while the brands of 14 additional countries accounted for a total of 39 percent of phishing attacks in December.

Top Hosting Countries

In December, the US hosted 52 percent of the world’s phishing attacks, a nine percent decrease from November. Germany and Russia were the second top hosts with five percent of attacks. A surprising entrance came from Japan as a top host in December, accounting for four percent of attacks.

The RSA December Online Fraud Report Summary is here.

The RSA November Online Fraud Report Summary is here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

.

RSA’s November Online Fraud Report

Below is a summary of RSA’s November Online Fraud Report:-

The humble beginnings of phishing

The term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them. ‘Phishers’ used to go after compromised e-mail accounts in order to send out spam.

In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts.

Phishing became a fraudster’s gold rush.

Phishing Attacks per Month

In October, phishing volume dropped nearly 40 percent – from 38,970 attacks in September to 24,019 attacks. This decline was mainly due to a drastic reduction in the number of phishing attacks targeting brands that were heavily attacked in September.

Number of Brands Attacked

Last month, 298 brands were targeted with phishing attacks, marking just a slight drop from September. Eleven brands endured their first attack in October while 51 percent of the brands targeted last month endured less than five attacks each.

US Bank Types Attacked

The portion of brands targeted among U.S. credit unions increased eight percent while brands targeted among U.S. regional banks saw a 13 percent decrease in October (from 25% to 12%). However, U.S. nationwide bank brands continue to endure the highest number of attacks, accounting for nearly 75 percent in October.

Top Countries by Attack Volume

In October, the UK continued to be the country that endured the most phishing attacks, just slightly ahead of the U.S. by a mere one percent. South Africa endured eleven percent of the phishing volume in October, followed by Brazil and Canada.

Top Hosting Countries

In October, the US hosted 54 percent of the world’s phishing attacks, followed by Germany with seven percent and the UK with four percent. Since October 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the US, UK, Germany, France and Russia.

The full RSA Report can be found here.

The RSA October Online Fraud Report Summary is here.

The RSA September Online Fraud Report Summary is here.

.

RSA’S October Online Fraud Report

Below is a summary of RSA’s October Online Fraud Report.

October was Cyber Security Awareness Month. A public relations effort made by several US-based government bodies to increase security-literacy across the tiers that make up our digital society. By encouraging each and every Internet user to “Stop, Think, Connect,” the Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) hope to increase security within the home, business environment, and ultimately within the entire nation. While this effort was founded in the U.S., its aspirations of increasing security literacy among the general public could easily be embraced across the globe.

Ironically, October also marks a major milestone for RSA, reaching the official shut down of over 500,000 phishing attacks around the globe. Sometimes viewed as one of the oldest scams in the book, phishing is still a very popular method among cybercriminals.

RSA recently estimated that worldwide losses from phishing attacks alone during H1 2011 amounted to over $520 million, and losses incurred from phishing attacks during the 12-month period of H2 2010 through H1 2011 reached nearly $1 billion.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in September increased by 45%, setting a new all-time high of 38,970 attacks. As in the month prior, this increase was largely attributed to repeated attacks on a handful of large financial institutions which have been heavily targeted throughout the past few months.

Number of Brands Attacked

The total number of brands attacked decreased 15%, dropping from 351 targeted brands in August to 300 brands in September. Last month, no new brands endured their first phishing attack, compared to seven newly-targeted brands in August. Monthly counts of newly-targeted brands last year hovered around 20 to 25 entities per month indicating a slowdown in the trend of attacks on new targets.

US Bank Types Attacked

In September, the portion of targeted brands among U.S. credit unions dropped from 19% to 6%. In contrast, the portion of targeted brands among regional U.S. banks increased 5%, while attacks against nationwide U.S. banks increased 8%. Nationwide banks continue to be the most lucrative target among phishers likely because their customer bases are large and geographically dispersed.

Top Hosting Countries

The U.S. hosted two out of three worldwide phishing attacks in September. Since September 2010, the only countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attack Volume

The U.S. and UK continue to remain the top two countries targeted by the highest volume of phishing attacks. In September, they endured 79% of the world’s phishing attacks. Brazil, Canada, and South Africa remained among the top five countries in September in terms of phishing attack volume.

Top Countries by Attacked Brands

U.S. and UK brands accounted for 43% of all the brands targeted worldwide by phishing in September.

The full report can be found here.

The RSA September Online Fraud Report Summary is here.

.

RSA’s September Online Fraud Report

At bit of a catch up on the excellent RSA Fraud Reports. The results from their September report are below.

At the bottom of the post is the August Report Summary link.

Phishing Attacks per Month

The number of phishing attacks identified by RSA in August increased by 7%, setting a new all-time high of 26,907 attacks. This increase can be mostly attributed to repeated attacks on a number of large financial institutions which have been heavily targeted through the past few months.

Number of Brands Attacked

The total number of brands attacked increased 9% in August, climbing from 321 targeted brands in July to 351 brands in August. Last month, seven brands endured their first phishing attack. Last year, monthly counts of newly-targeted brands hovered around 20 to 25 per month, indicating a slowdown in the attack rate of new targets.

US Bank Types Attacked

The number of phishing attacks targeting U.S. credit unions in August nearly doubled, from 10% to 19%. The portion of attacked brands among the other two sectors decreased – regional U.S. banks decreased 3% and nationwide banks decreased 6%. August 2011 marked a two-year high for U.S. credit union brands being targeted since hitting the 24% mark in August 2009.

Top Countries by Attack Volume

The US and UK remained the top two countries most targeted by phishing in August, accounting for 73% of the world’s attacks. Brazil, Canada, and South Africa all remained in the top half.

Top Hosting Countries

The U.S. hosted 63% of all phishing attacks identified in August. The UK and Germany both accounted for hosting 4% of global phishing attacks followed by France, Canada, the Netherlands, Brazil, Russia, and Australia. In the last year, the countries that have consistently hosted the highest portions of phishing attacks have been the U.S., UK, and Germany.

Top Countries by Attacked Brands

The top five countries whose brands were most targeted by phishing in August, the U.S., UK, Australia, India, and Canada – accounted for 60% of attacks. U.S.

The full report can be found here.

See the RSA August Report Summary here.

.

Test your IT Security and ID Theft Knowledge

KENZ
Image via Wikipedia

Preparation is often the best way of ensuring you have the right protection.

The Consumer Federation of America have worked to put together some excellent quizzes that will help you understand the potential impact of an Identity Theft and several IT Security threats and risks.

Test your Identity Theft knowledge by participating in any or all of the following Identity Theft Quizzes.

  1.  Pretend that your identity’s been stolen and learn how to get it back by correctly answering questions in the Federal Trade Commission’s ID Theft Face-Off Quiz.
  2. Learn how to keep your wireless Internet connection secure and fend off intruders by taking the Federal Trade Commission’s Invasion of the Wireless Hackers Quiz.
  3. Don’t let spyware sneak onto your computer to give others a peek at information you enter online. Get wise to the spyware guise by taking the Federal Trade Commission’s Beware of Spyware Quiz.
  4. The techie spy and his cunning crew are out to get your personal information. Stop them cold and prove you’re ready to protect yourself online by cracking the Federal Trade Commission’s Case of the Cyber Criminal Quiz.
  5. You’re in big trouble at work because your laptop’s been stolen and the information on it wasn’t secure. It won’t happen again if you take the Federal Trade Commission’s Mission: Laptop Security Quiz.
  6. Phishers are looking to lure you into providing your personal information with bogus emails and pop-ups. Will you take the bait or live to swim another day? Find out by taking the Federal Trade Commission’s Phishing Scams Quiz.
  7. Identity thieves use many methods to steal your key personal and financial information to sell, use to drain your accounts, or set up new accounts using your good name. How much do you know about identity theft, related fraud, and how to reduce your risks? Find out and have some fun by taking the University of Oklahoma Police Department’s Identity Theft and Fraud Quiz.
  8. Are you at risk for identity theft? Take the Privacy Rights Clearinghouse Identity Theft IQ Test to see how you rate.
  9. Identity theft affects people of all ages, including children. Test your knowledge of child identity theft by taking the Identity Theft Risk CheckSM Quiz, a quiz designed by the National Sheriffs’ Association and the National Foundation for Credit Counseling.

.

RSA’s June Online Fraud Report

Below is a summary of RSA Security’s June 2011 Fraud Report.

RSA recently analyzed one local pharming Trojan which they found to be a highly sophisticated piece of malware that goes as far as installing a driver to achieve its intended goal of stealing information. This is the first local pharming Trojan observed by RSA to even have a driver.

In fact, the Trojan has been widely reported to be the first rootkit ever designed to specifically infect 64-bit operating systems. However, the Trojan does not in fact install a rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide their very existence from the user, this driver cannot be classified as such. Any victim infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit. Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently-loaded driver list.

This particular Trojan was targeted at online banking consumers in Brazilas it changes the hosts file settings for a handful of Brazilian Banks.

Phishing Attacks per Month

May 2011 marked a surprising 33 percent increase in the number of global phishing attacks identified by RSA – and a record for the most unique attacks identified in a single month. About four out of five phishing attacks in May were launched using hijacked websites.

Number of Brands Attacked

The increase in phishing attacks numbers was not the only substantial change observed in May. RSA witnessed a 25 percent increase in the number of attacked brands suggesting criminals went after a wider variety of brands rather than consistently attacking the same brands. When compared year-over-year (May 2010), there was a 69 percent increase in the number of attacked brands.

Segmentation of Financial Institutions Attacked Within the U.S.

Nationwide banks in theU.S.accountedfor 3 out of 4 phishing attacks in May. The portion of phishing attacks targeting U.S. credit unions dropped three percent as did the portion of attacks against regional U.S. banks, decreasing from 22 percent in April to just 12 percent in May.

Top Ten Hosting Countries

Since January 2010, theU.S.has been the top hosting country for phishing attacks, hosting 66 percent of all phishing attacks in May. In the last year, the countries that have consistently hosted the highest portion of phishing attacks have beentheU.S.,UK,Canada,Germany,France,Russia, and South Korea.

Top Ten Countries by Attack Volume

The US,UK,South Africa and India remained the top four countries targeted with the most volume of phishing attacks in May.Malaysia, which appeared on the chart in April, was replaced by Colombiain May. In the last year, theU.S.,UK,South Africa,Canada, the Netherlands, and Italy are the top countries that have consistently endured the highest volume of Phishing attacks.

Top Ten Countries by Attacked Brands

The main change in May was Ireland being replaced by Brazilin terms of the Top Ten countries whose brands were most targeted by phishing. Brands in theU.S.,UK,India,and Australia continue to endure the majority of targeted phishing attacks.

The full report can be found here.

.

Symantec MessageLabs April 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec MessageLabs have released their April 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 72.9% in April (a decrease of 6.4 percentage points since March 2011)
  • Viruses – One in 168.6 emails in April contained malware (an increase of 0.11 percentage
    points since March 2011)
  • Phishing – One in 242.2 emails comprised a phishing attack (an increase of 0.02
    percentage points since March 2011)
  • Malicious web sites – 2,431 web sites blocked per day (a decrease of 18.2% since March
    2011)
  • 33.0% of all malicious domains blocked were new in April (a decrease of 4.0 percentage
    points since March 2011)
  • 22.5% of all web-based malware blocked was new in April (a decrease of 1.9 percentage
    points since March 2011)
  • Targeted attacks increase in intensity: What does a recent targeted attack look like?
  • Shortened URLs: Do you know what you’re clicking on?

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for April, many of which take advantage of malicious hyperlinks. Overall, 55.1% of email-borne malware was associated with Bredolab, Sasfis, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011. 

Malware % Malware
Trojan.Bredolab!eml  37.67%
Exploit/FakeAttach  4.54%
HeurAuto-08ba  3.88%
Gen:Variant.Kazy.17074 3.53%
Trojan.Bredolab 3.31%
W32/Bredolab.gen!eml-19251 3.27%
W32/Bredolab.gen!eml 2.83%
Gen:Variant.Kazy.16615 1.80%
W32/Generic-afcd 1.79%
W32/Delf-Generic-ad9e 0.70%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec MessageLabs Web Security.cloud or Symantec MessageLabs Email AntiVirus.cloud.

Malware % Malware
W32.Sality.AE  8.10%
W32.Ramnit.B!inf  7.80%
W32.Ramnit!html  6.90%
Trojan.Gen 6.80%
Trojan Horse  6.80%
Trojan.Bamital  5.30%
W32.Downadup.B 4.10%
Trojan.Gen.2  3.80%
Downloader  3.80%
W32.Almanahe.B!inf  2.50%

See entire Symantec MessageLab’s Intelligence Report here

The March report summary can be found here.

.

Phishing – the UK banking losses

Malware logo Crystal 128.
Image via Wikipedia

In March 2011 the UK Card Association reported that Online banking fraud losses totalled £46.7 million in 2010. This represented a 22 per cent fall on the 2009 figure. 

The factors contributing to this fall include

  • Customers better protecting their own computers with up-to-date anti-virus software
  • Banks’ use of sophisticated fraud detection software.

This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

UK annual reported banking losses 2006 to 2010 due to Phishing

  2006 2007 2008 2009 2010 % +/-09/10
No of phishing attacks  14,156 25,797 43,991 51,161 61,873 +21%

The link to the UK Card Association Press Release is here

In my last blog post Fraud Intelligence Report – First Quarter 2011 there were some other interesting Phishing statistics:

  • Phish attack volume increased 17% from the previous quarter to 99,800 attacks
  • The number of targeted organizations increased 11% from the fourth quarter of 2010, to 511
  • Attacks per organization increased 6% from Q4 2010 to 195
  • Financial sector accounted for 47% of phish attacks in the first quarter of 2011
  • Payment Services sector accounted for 27%
  • Auction sector phish increased 47% quarter-over-quarter to 5,414 attacks
  • Gaming sector phish increased 60% from the previous quarter to 6,834 attacks
  • Social Networking sector phish increased 40% from the previous quarter to 4,768 attacks

Source of Phishing in quarter one 2011

  • UK grew by 63%
  • Russian-hosted phish grew 93%
  • North America hosted the majority of phishing attacks, with 61% of total attacks in the first quarter
  • Western Europe followed, hosting 19% of phishing attacks in the same period

Read the blog – Fraud Intelligence Report Q1 2011 here

.

Fraud Intelligence Report – First Quarter 2011

Image representing MarkMonitor as depicted in ...
Image via CrunchBase

MarkMonitor, a global leader in enterprise brand protection, offers comprehensive solutions and services that safeguard brands, reputation and revenue from online risks.

MarkMonitor produce a Fraud Intelligence Report on a quarterly basis and the report for the first quarter of 2011 is now available. The headline findings are:

Phishing Attacks Reversed Decline
Phish attack volume increased 17% from the previous quarter to 99,800 attacks.

Organizations Targeted Continued Growth Trend
The number of targeted organizations increased 11% from the fourth quarter of 2010, to 511

Attacks per Organization Increased Slightly
Attacks per organization increased 6% from Q4 2010 to 195

Financial Sector Continued as Most Popular Phishing Sector
The Financial sector accounted for 47% of phish attacks in the first quarter of 2011, while the Payment Services sector accounted for 27%

Auction, Gaming, and Social Networking Sectors Reversed Previous Declines
Auction sector phish increased 47% quarter-over-quarter to 5,414 attacks. Gaming sector phish increased 60% from the previous quarter to 6,834 attacks. Social Networking sector phish increased 40% from the previous quarter to 4,768 attacks.

Phishing Attacks Targeting Spanish Brands Doubled
Attacks targeting Spanish brands grew 127% from the previous quarter. However, North American brands continued to attract the lion’s share of attacks, accounting for 74% of phishing attacks in the first quarter. Western European brands accounted for 18% of phish.

Phishing Attacks Hosted in the UK and Russia Showed Substantial Growth
In the first quarter, phish hosted in the UK grew 63% and Russian-hosted phish grew 93%. As with targeted brands, however, North America hosted the majority of phishing attacks, with 61% of total attacks in the first quarter. Western Europe followed, hosting 19% of phishing attacks in the same period.

Download the full report here

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: