Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

phishing

Breaches caused by either hacking or malware nearly doubled in relative frequency

Beazley, a leading provider of data breach response insurance, today released its Beazley Breach Insights 2016 findings based on its response to over 2,000 breaches in the past two years. The specialized Beazley Breach Response (BBR) Services unit responded to 60% more data breaches in 2015 compared to 2014, with a concentration of incidents in the healthcare, financial services and higher education sectors.

Key data:

  • Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32% of all incidents were caused by hacking or malware vs. 18% in 2014.
  • Unintended disclosure of records – such as a misdirected email – accounted for 24% of all breaches in 2015, which is down from 32% in 2014.
  • The loss of non-electronic physical records accounted for 16% of all breaches in 2015, which is unchanged from 2014.
  • The proportion of breaches involving third party vendors more than tripled over the same period, rising from 6% of breaches in 2014 to 18% of breaches in 2015.

Beazley’s data breach statistics are based on 777 incidents in 2014 and 1,249 in 2015.

We saw a significant rise in incidents caused by hacking or malware in the past year,” said Katherine Keefe, global head of BBR Services. This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled

Ransomware on the rise in healthcare

Hackers are increasingly employing ransomware to lock up an organization’s data, holding it until a ransom is paid in nearly untraceable Bitcoin. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and ultimately paid the hackers $17,000 in Bitcoin. A year earlier, the FBI had issued an alert warning that ransomware attacks were on the rise.

This trend is borne out by Beazley’s data. Breaches involving ransomware among Beazley clients more than doubled to 43 in 2015 and the trend appears to be accelerating in 2016. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250% in 2016.

Clearly, new malware programs, including ransomware, are having a big impact, said Paul Nikhinson, privacy breach response services manager for BBR Services. Hacking or malware was the leading cause of data breaches in the healthcare industry in 2015, representing 27% of all breaches, more than physical loss at 20%

Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record.”

Higher Education

Higher education also experienced an increase in breaches due to hacking or malware with these accounting for 35% of incidents in 2015, up from 26% in 2015.

Colleges and universities are reporting increased “spear phishing” incidents in which hackers send personalized, legitimate-looking emails with harmful links or attachments. The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches.

Financial Services

In the financial services sector, hacking or malware was up modestly to 27% of industry data breaches in 2015 versus 23% in 2014. Trojan programs continued to be a popular hacking device.

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

Cyber Security a Major Threat for Metals Industry: Top Three Lessons for Executives

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

  • The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study
  • The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

  1. Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.
  2. The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).
  3. If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

.

Workers Ignoring Known Cyber Risks, Surfing Adult Content and Downloading Unapproved Apps

Blue Coat Systems global survey of 1580 respondents across 11 countries highlights a global trend of employees ignoring cyber risks while at work. Results from the survey found that universally, workers visit inappropriate websites while at work despite typically being fully aware of the risks to their companies.

Blue Coat’s research, conducted by independent research firm Vanson Bourne, found the actions of employees at odds with their awareness of the growing cyber threats facing the workplace. In addition, this risky behaviour can leave both sensitive corporate and personal data open to being stolen and used immediately, stored for future use, or sold into a thriving black market where compromised corporate and personal identities are traded globally.

One source of cyber threats is the practice of phishing. Cyber criminals continuously conduct extensive research on employees’ social profiles to find information that can be used to attack organizations. For example, an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient’s alma mater or favourite sports team. That email may contain malware that is downloaded once the recipient clicks on a link included in the document.

Pornography continues to be one of the most popular methods of hiding malware or malicious content. Even though awareness is high of the threat posed by adult content sites, workers are still visiting these potentially dangerous sites.

The Blue Coat survey found that at 19%, China has the worst record for viewing adult content sites on a work device, with Mexico (10%) and the UK (9%) not far behind. 

Survey Highlights

The majority of global survey participants admitted understanding the obvious cyber threats when downloading email attachments from an unknown sender, or using social media and unapproved apps from corporate networks without permission, but knowing this, did not curb their risk-taking.

Other findings include:

  • 65% of global respondents view using a new application without the IT department’s consent as a serious cyber-security risk to the business, 26% admitted doing so.
  • 37% of respondents in Singapore used new applications without IT’s permission, compared to 33% in the UK and 30% in India and Mexico. On the flip side, Australia and France were the lowest offenders at 14% and 16% respectively; however, any number puts businesses at risk.
  • Obvious behaviours such as opening emails from unverified senders still happen at work. 29% of Chinese employees open email attachments from unverified senders, even though 72% see it as a serious risk. US businesses view the threat even more seriously (80%) and open less unsolicited emails (17%).
  • 41% use social media sites for personal reasons at work, a serious risk to businesses, as cyber criminals hide malware on shortened links and exploit encrypted traffic to deliver payloads.
  • 6% of global respondents still admitted viewing adult content on work devices, China ranked as the worst offender with 19% employees admitting to viewing adult content at work, compared to Australia and Germany, both at 2%

While the majority of employees are aware of cyber security risks, in practice most still take chances,” said Dr. Hugh Thompson, CTO for Blue Coat. “The consumerization of IT and social media carry mixed blessings to enterprises. It is no longer realistic to prevent employees from using them, so businesses need to find ways to support these technology choices while simultaneously mitigating the security risks

The Story Of A Phish

Phishme Inc have produced this excellent Infograph which follows the “life” or progress of a phishing attack.

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

RSA’s April Online Fraud Report 2013, with a focus on the changes in Phishing tactics

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online.

In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.

Another similar example is reflected in time-delayed attacks again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more making them more likely to check out a link they received via email that day.

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –Switching letters, as in bnak or bnk for “bank”, adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey” – Swapping visually similar letters

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.

RSA’s Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.

Phishing Attacks per Month

In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.

.

RSA’s March Online Fraud Report 2013, with a focus on Email and Identity takeover

RSA’s March 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user’s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an email address to authenticate their users’ identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts.

Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their email accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities.

Since email accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the email address is most often the username in the provider’s systems or databases. When it comes to bank accounts, the customer’s email is where communications and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. Email takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user’s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim.

Although some webmail providers use two-factor authentication for account password resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts.

Since email is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via email. Hence, if a cybercriminal is in control of the email account, they will also gain control over the user’s account with that merchant.

From there, the road to e-commerce fraud shortens considerably, either using that person’s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that person’s/business’ service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don’t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders.

Email account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with email account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with that person’s choice of financial services providers, bank account types, card statements (paperless reports delivered via email), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more.

How Risky Is Email Account Takeover? Email account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on eBay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access email, where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies.

RSA’s Summary

Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an email address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer email accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt.

Phishing Attacks per Month

In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide bank brands were the prime target for phishing campaigns, with 69% of total phishing attacks, while regional banks saw an 8% increase in phishing attacks in February.

Top Countries by Attack Volume

The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February.

Top Countries by Attacked Brands

In February, U.S brands were targeted by 30% of phishing volume, continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. Other top hosting countries in February included Canada, Russia, Brazil and Chile.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.

RSA’s February Online Fraud Report 2013 including an update on Phishing activity

RSA’s February 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA.

The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011. 

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year. 

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security. 

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one. 

Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns. 

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day. 

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading.

The most common ways of doing this are:

  • Switching letters, as in bnak or bnk for “bank”
  • Adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey”
  • Swapping visually similar letters 

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart. 

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing. 

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers 

Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. 

This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web. 

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. 

A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly. 

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization. 

RSA Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns. 

Phishing Attacks per Month In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year. 

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil. 

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.

.

RSA’s January Online Fraud Report 2013 including an excellent summary of Phishing in 2012

RSA’s January 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

The total number of phishing attacks launched in 2012 was 59% higher than 2011

It appears that phishing has been able to set yet another record year in attack volumes, with global losses from phishing estimated at $1.5 billion in 2012. This represents a 22% increase from 2011.

The estimated amount lost from phishing this year was affected by the industry median – the number of uptime hours per attack. The median dropped in 2012 (from 15.3 to 11.72 hours per attack, according to the Anti-Phishing Working Group), somewhat curbing the impact of losses overall. If attack medians had remained the same, estimated losses from phishing would have exceeded $2 billion.

There is no doubt phishing still continues to be a persistent threat to all organizations. The RSA Anti-Fraud Command Center is at the forefront of phishing attack shut down. To understand the magnitude of growth however, consider the following fact: at the end of 2011, RSA celebrated its 500,000th attack takedown; that number was achieved over seven years. In 2012 alone, RSA took down almost an additional 50% of that total volume!

The roster of countries most attacked by phishing throughout the year was not surprising; the same countries appeared on the shortlist of the most attacked, the UK, the U.S., Canada, Brazil and South Africa. In Latin America, Colombia and Brazil were the two most attacked countries.

There have been major increases in phishing attack volume in some countries, while slight declines were recorded for others. One of the most significant increases in 2012 phishing numbers occurred in Canada, where attacks increased nearly 400% in the first half of the year. There have been many speculations as to why the sharp increase, but the main reason is simply economics – fraudsters follow the money. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become as lucrative a target for cybercrime.

The list of top countries to have consistently hosted the most phishing attacks throughout 2012 remained nearly identical to 2011.

  1. U.S.
  2. UK
  3. Germany
  4. Brazil
  5. Canada
  6. France
  7. Russia
  8. Poland
  9. The Netherlands
  10. Japan

Phishing targets and tactics in 2012

The past year saw phishing diversify the top aims to include popular online retailers that were targeted via the usual web portals but also through the increasingly popular use of mobile apps for shopping. Other targets on phishers’ lists were airline companies, gaming platforms, mobile communication providers and webmail services.

It appears that malware writers are strong players in the world of phishing kit coding, responding to the demand in the underground and servicing phishers looking for off-the-shelf kit templates or custom written specialty kits. The top requests for phishing kit writers were, unsurprisingly, the login pages of U.S. based banks, credit card issuers and the dedicated login pages for business/corporate users of online banking/investments.

In terms of the tactics used by cybercriminals to launch their attacks, 2012 saw the use of rather simple hosting methods, mainly taking advantage of hijacked websites.

The most prominent trends noted came in the shape of using web shells and automated toolkits to hijack massive numbers of websites and smarter phishing kits containing custom plug-ins such as web-analytics tools. A proliferation of off-the-shelf codes written by black hat programmers, and the use of combined attack schemes to phish users and then redirect them to subsequent malware infection points were noted by RSA forensics analysts.

Global Phishing forecast for 2013

Phishing via Mobile The most prominent market trends relevant to the mobile channel have to do with the growth in mobile device usage in both our personal and work life and the pivotal role of mobile apps. RSA expects to see more phishing directed at mobile device users, particularly smartphones, as we move into 2013. Varying social engineering schemes will target users by voice (vishing), SMS (smishing), app-based phishing (rogue apps), as well as classic email spam that users will receive and open on their mobile devices.

Phishing via Apps Applications are the central resource for smartphone users, and that overall popularity of apps will become just as trendy with cybercriminals.

Nowadays, users download apps designed for just about any day-to-day activity, with the most prominent of those being gaming, social networking and shopping apps. To date, both Apple and Google have surpassed 25 billion app downloads each from their respective stores. In fact, according to research firm Gartner, this number will grow to over 185 billion by 2015.

In 2013 organizations will continue to aggressively tap into this growing market and respond by further moving products and services to this channel, delivering specialized small-screen adaptations for Web browsing, and developing native apps that supply mobile functionality and brand-based services to enable customers anywhere-anytime access.

Following user behavior trends (and money) in 2013, criminals will drive underground demand for threats and attack schemes designed for the mobile. Cybercriminals will focus on apps in order to deliver phishing, conceal malware, infect devices, and steal data and money from users of different mobile platforms.

Phishing via Social Media In 2008, slightly more than 20% of online users in the U.S. were members of a social network. That number has since more than doubled and stands at around 50% today.

Data collected last year from Fortune’s Global 100 revealed that more than 50% of companies said they have Twitter, Facebook, and YouTube accounts. Facebook membership, for example, has increased nearly 10 times since 2008, with over 7 billion unique visitors per month worldwide. Twitter shows that the number of members increased by a factor of five over the same period, boasting over 555 million regular users.

With the world turning into a smaller and more ‘social’ village than ever, cybercriminals are by no means staying behind. They follow the money, and so as user behavior changes, RSA expects cybercriminals to continue following their target audience (future victims) to the virtual hot-spots. According to a Microsoft research study, phishing via social networks in early 2010 was only used in 8.3% of attacks by the end of 2011 that number stood at 84.5% of the total. Phishing via social media steadily increased through 2012, jumping as much as 13.5% in one month considering Facebook alone.

Another factor affecting the success of phishing via social media is the vast popularity of social gaming; an activity that brought payments into the social platform. Users who pay for gaming will not find it suspicious when they are asked for credit card details and personal information on the social network of their choice.

Social media is definitely one way by which criminals get to their target audience, phishing them for access credentials (which are used for webmail at the very least and for more than one site in most cases), as well as stealing payment details they use online.

RSA’s Conclusion

Phishing attack numbers have been increasing annually, and although phishing is one of the oldest online scams, it seems that web users still fall for it which is why it still remains so popular with fraudsters.

With the heightened availability of kits, cybercriminals’ awareness of the latent potential in stolen credentials, and the enhanced quality of today’s attacks, the forecasted outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide.

As of January 1, 2013, the RSA Anti-Fraud Command Center has shut down more than 770,000 phishing attacks in more than 180 countries.

Phishing Attacks per Month

In December, RSA identified 29,581 attacks launched worldwide, marking a 29% decrease in attack volume from November, but a 40% increase year-over-year in comparison to December 2011.

The overall trend in attack numbers showed a steady rise in volume throughout the year, reaching an all-time high in July, with 59,406 attacks detected in a single month, 52% more than 2011’s peak of 38,970 attacks.

Number of Brands Attacked

In December, 257 brands were targeted in phishing attacks, marking a 10% decrease from November. Of the 257 targeted brands, 49% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide banks continued to be the most targeted, absorbing 79% of total attack volume in December. It is not surprising that fraudsters prefer large financial institutions over smaller ones as the potential “victim rate” rises in conjunction with the size of the bank’s customer base. Moreover, information regarding security procedures at larger institutions can be more easily located in open-source searches.

Top Countries by Attack Volume

The U.S. was targeted by the majority of, or 46%, of total phishing volume in December. The UK accounted for 19% of attack volume, while India and Canada remained third and fourth with 8% and 5% of attack volume.

Top Countries by Attacked Brands

U.S. brands were the most targeted again in December, with 28% of total phishing attack volume, followed by UK brands which were targeted by 10% of attacks. Brands in Canada, Australia, India and Brazil were each targeted by 5% of phishing volume.

Top Hosting Countries

In December, the U.S. remained the top hosting country for phishers, hosting 53% of global phishing attacks. Germany and the UK were the second top hosting countries accounting for 5% of hosted attacks.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.

.

RSA’s December Online Fraud Report 2012 including an excellent piece on Ransomware

RSA’s December Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below. 

Ransomware is a type of Trojan/malware that can lock files on an infected machine and restrict access to the computer unless the user pays a “ransom” for the restrictions to be removed

Infection campaigns and methods used by Ransomware are identical to those used for any other malware/Trojan infection. For example, recent Ransomware campaigns infected users via the Blackhole exploit kit; another campaign relied on drive-by-downloads via malicious tags in news sites and forums. 

Ransomware campaigns can take on a variety of forms. One of the most common scams is using fake anti-virus programs, making a user believe their computer is infected with unwanted software that can only be removed by purchasing the attacker’s special anti-virus program. However, Ransomware campaigns can take on a number of forms including bogus messages from law enforcement or even a recent example in Australia where a medical clinic’s patient records were targeted unless the clinic paid the attackers $4,200. 

Although victims are promised their files will be unlocked once they pay the “fine”, in most cases the botmaster cannot control the infected bot and the files/computer will remain locked (depending on the malware’s function). 

In order for criminals to remain untraceable, Ransomware payments must be kept anonymous and these Trojans’ operators prefer prepaid payment cards/vouchers (available at retail locations in the US, Europe and now in Arabic-speaking countries as well). It appears that Ransomware is a flourishing business in the cybercrime arena since this type of malware has been proliferating, and attack numbers are on the rise. Ransomware is so popular that although this Winlock type malware can come as a standalone piece, nowadays it is often coupled with other Trojan infections to add monetization schemes to new and existing botnets. Ransom components are sold as ‘plugins’ for some of the well-known banking Trojans including Citadel, Carberp, ICE IX, Zeus, and SpyEye. 

New commercial Ransomware

A recent variant analyzed by RSA researchers revealed a new type of Ransomware, dubbed “Multi-Locker” by its operators. This malware appears to be a commercial creation, destined for sale to cybercriminals interested in launching infection campaigns to spread it. The Multi-Locker ransom and botnet administration control panel were written by a Russian-speaking blackhat, based on a peer’s existing code (the “Silent locker” Trojan). Much like other known Ransomware codes, the malware comes with adapted HTML lock pages designed to appear per each user’s IP address’ geo-location. The pages display in the corresponding language, naming the local national police and demanding ransom in the local currency ($/€/£/other) via prepaid cards/vouchers available in that country.

Multi-Locker is available to cybercriminals through a vendor in underground fraud communities. The malware was announced in the underground in the beginning of October 2012 and offered for sale at USD $899 per kit. In the ad, the vendor guarantees the locking of files on Windows-based machines running any version of Windows, from 2003 to Windows 8. 

Most ransom Trojans to date have been designed to accept prepaid cards or vouchers issued in the US and Europe. Multi-Locker’s vendors are adding their research regarding prepaid media used in Arabic-speaking countries and assure buyers that they will enrich their knowledge to enable them to easily cash out the funds at the end of the line. 

Multi-locker Botnet and control panel

Unlike the majority of ransom Trojans, the Multi-Locker Ransomware was designed with a main point of control that can manage some of the activity of infected bots. The basic control interface shows botmasters some basic statistics such as the total number of bots on that botnet and the payments that come in from each bot. The botnet interface parses each payment made according to the prepaid card type the victim provides.

The panel also displays the botnet’s conversion rate (how many successful infections/ locks out of the entire campaign) at any given moment by showing the total number of lock pages loaded versus the number of bots (that ratio hovering around 20%). 

New features coming soon: DNS-Locker

The most interesting module this Trojan offers is apparently yet to come: DNS Internet Locker. The DNS Locker will be a restriction that will take over the Internet browser, forcing to only display the Ransomware Operator’s HTML lock page, demanding payment for the browser to be released. 

The vendor is very boastful about having researched solutions online and having found none that can help infected users find a way to rid their machines from the malware, adding that even starting the computer in sage mode will not remedy the lock, guaranteeing the future DNS Locker will work on even the newest versions of Windows. 

RSA’s Conclusion

Ransomware were first seen coming from Russia 2005-6 and have since evolved in terms of tactics and scope. Ransomware Malware is particularly lucrative to botmasters operating out of Eastern Europe as almost all were written by Russian-Speaking coders and sold by Russian-Speaking vendors in the Fraud Underground.

Ransomware’s success rate may differ in each country/geography, according to the number of users who decide for the unlocking of the PC. Unfortunately the numbers for this type of attack continue to grow as online users are not very aware of the threat and may attempt to resolve the issue on their own by providing payment to the botmasters.

Phishing Attacks per Month

In November, RSA identified 41,834 unique phishing attacks launched worldwide, making a 24% increase in attack volumes from October. The growth in attacks in November is mostly attributed to the online holiday shopping season as fraudsters try to leverage this time of year to lure victims.

Number of Brands Attacked

In November, 284 brands were targeted in phishing attacks, marking a 6% decrease from October. Of the 284 brands attacked 45% endured 5 attacks or less.

US Bank Types Attacked

Nationwide banks continued to be the most targeted by phishing in November, experienced nearly 80% of all attack volumes.

Top Countries by Attack Volume

In November the US was targeted by 42% of total phishing volume. The U.K accounted for 20% of the attack volume, with India emerging as the third most targeted by volume with 7% of all global attacks. India replaced Canada who saw a significant decrease, from 27% of total attack volumes in October to just 4% in November.

Top Countries by Attacked Brands

In November, the countries that featured the greatest number of targeted brands were the U.S. (30%), still leading by a wide margin, followed by the UK with 11%. Though absorbing a relatively small number of attacks in November, Brazilian brands ranked third of the most targeted with 6%, attesting to the diversity of attacked brands in the country.

Top Hosting Countries

Despite a 6% drop in the month prior, the U.S. continues to be the top hosting country for phishing attacks; one out of every two attacks in November was hosted in the U.S. France was the second top host, accounting for 7% of phishing attacks in November, most of which were hosted by a single ISP.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s November Online Fraud Report 2012 including advice on avoiding fraud

RSA’s November Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below.

In 2011, RSA’s e-commerce authentication technology was used by many of the top card issuers around the globe to protect nearly a half a billion e-commerce transactions and their statistics for 2011 (2012 will be posted when available) are;

  • Over the course of 2011, 7% of all e-commerce transactions were identified as fraudulent, an increase of 2% in 2010
  • During the 2011 holiday shopping season (November 1 – December 31), U.S. consumers spent over $1.4 billion online, an increase of 18% from 2010
  • Identified fraudulent transactions during this same time totaled more than $82 million, an increase of 219% from 2010. Cyber Monday accounted for $2.5 million
  • Top online retailers based on e-commerce transaction volume and amounts in 2011 included three major airlines
  • The top five cities where e-commerce fraud originated over the holiday season include New York, Los Angeles, Chicago, Washington DC and Houston

Fraud is always lurking around every corner, but is especially prolific at this time of year with so many people shopping online. Consumers can follow some very simple tips to stay safe online:

  • Tune up defenses for ALL devices. Just like you would tune up your car before driving to visit relatives during the holidays, you should ensure that any device you plan to shop with (computers, tablets, smartphones and even gaming systems) gets a tune up with the latest browsers and security patches.
  • Shop with retailers that take security seriously. Before entering any personal or payment information, you should look for the closed padlock on your web browser’s address bar and ensure the web address starts with “https” – the “s” standing for secure. Also, look for protection beyond just passwords. For example, many merchants now support the Verified by Visa / MasterCard SecureCode standards which will provide you with additional security. Finally, always make sure there is a phone number or physical address for the merchant in case there is an issue with your purchase.
  • Avoid advertisements, coupons or deals that seem too good to be true. Fraudsters use many scams to try to direct you to a malicious website to download a Trojan onto your computer.
  • Be on the lookout for phishing emails. Fraudsters will be launching countless phishing attacks this time of year trying to secure your payment account information so be on high alert. When the emails start coming in with subject lines screaming “Account Alert” or “Reactivate your account” and making claims such as “invalid login attempts into your account online from an unknown IP address have been identified,” ensure you delete it right away.

Phishing Attacks per Month

In October, RSA identified 33,768 unique phishing attacks launched worldwide, a 5% decrease from September. While attack volume has been decreasing over the last three months, total phishing attack numbers for the second half of 2012 already represent a 9% increase over first half numbers with November and December still to go.

Number of Brands Attacked

In October, 269 brands were subject to phishing attacks, marking a 14% decrease from September. A decrease in the number of targeted brands is likely the result of an increased focus of attacks on several familiar brands.

US Bank Types Attacked

Nationwide banks in the U.S. experienced a slight decline in attacks, down 3%, while U.S. credit unions saw a 5% increase in phishing attacks in October.

Top Countries by Attack Volume

In October, the U.K continued to be the country targeted by the most volume of phishing, with a total of 34%, despite a 14% drop from September’s number. Canada and the U.S. together were targeted by 51% of phishing volume in October. South Africa made a surprising appearance in October, targeted by 4% of phishing volume throughout the month.

Top Countries by Attacked Brands

In October, U.S. brands were targeted the most by phishing,– representing 34% of targeted brands, followed by brands in the UK (12%), and Australia and Canada (both 6% respectively)

Top Hosting Countries

The U.S. continued to host the majority of phishing attacks in October – with three out of every four attacks during the month being hosted in the U.S. Other top hosting countries in October included the UK, Germany, and Canada.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s October Online Fraud Report 2012 including summary of Phishing and Social Networking

In their October Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Following global trends in online threats, the RSA Anti-Fraud Command Centre continues to see large increases in phishing attacks. Looking back to the first half of 2012 and comparing it with the second half of 2011, RSA reported a 19% increase in global phishing attacks.

Not only is phishing still rampant, it is resulting in significant losses to global organizations.

RSA estimates that phishing cost organizations an estimated $2.1 billion in losses over the last 18 months

Phishing and the Social World

Just four years ago, slightly more than 20% of U.S. citizens were users of social networks. That number has since more than doubled and stands at around 50% today. Facebook membership alone has increased nearly 10 times since 2008 and Twitter shows that membership has increased by a factor of five over the same period.

With the world turning into a smaller and more ‘social’ village, fraudsters and blackhats are certain to join the party. Cybercrime follows the money, and as user behaviour shifts, fraudsters have been following their target audience (potential victims) to the virtual world’s hot spots. According to a research study by Microsoft, phishing via social networks in early 2010 was only used in 8.3% of all attacks by the end of 2011 that number stood at 84.5% of attacks delivered through social media.

What’s so great about phishing via social media?

Using social networks, people behave more socially and are less discriminating with messages or comments they receive on their profiles. With new user numbers soaring every year, phishers get to cast a very wide net. One phishing attack tailored for the look and feel of a single social network can effectively target a very large amount of people, resulting in less work for the fraudster to do and a better yield of potential victims.

With social media, a core component of a successful phishing attack is already built-in: Trust. Users ‘follow’ people they know or trust, they receive messages from people or services they are familiar with (emails from a site’s team for example, a group, a friend’s hijacked account, or comments containing poisoned links).

Rogue communications can sometimes be visually spotted, but most times they look good enough to have the recipient click and go to the phishing site or download a malicious piece of software. In cases where a social network makes heavy use of URL shorteners, telling a suspicious hyperlink before browsing to it is very difficult.

It only gets better (for Phishers)

Social networking sites are getting much better at knowing their users and leveraging that information for more targeted marketing and sales. One of the factors that help enhance the credibility factor in the ever-evolving social media platform is the emerging Freemium model.

Perhaps one of the most popular activities on some social networks is playing social games with other users. The games are free, but only until the user wants to really get ahead in the game or obtain special powers upgrades. This is where the payment prompt jumps in, suddenly making it okay to perform financial transactions through a platform like Facebook.

What does this mean for the user? It legitimizes using their credit card details on the social networking site.

What does this mean for Phishers? More ways to Phish, more data to steal (alongside all the other personal information already shared by users), more attacks and more successful phishing!

Another factor that has been encouraging phishing to come through social networks is enterprises going social. For example, banks that wish to market themselves using social media open user groups people can join, inadvertently providing phishers with a model to follow (not any different from online banking portals being imitated for phishing).

As with any online-borne threat, keeping a close watch on trends is essential to any organization serving customers via the Internet. This new and increasingly ‘social’ nature of delivering phishing attacks is a reflection of user behaviour, a factor that will always be the most significant driver for online crime trends.

Growing use of social networking is going to make phishing via that media more popular with time, and just further supporting the need for on-going and timely user-education and awareness campaigns to help consumers protect their online identities and accounts.

Phishing Attacks per Month

In September, RSA identified 35,440 phishing attacks launched worldwide, marking a 28% decrease from August. RSA data shows that the bulk of this decrease is a result of fewer phishing campaigns launched against a series of European financial institutions, which have accounted for significant spikes in attacks through the past few months.

Number of Brands Attacked

In September, 314 brands were targeted by phishing attacks, marking an 8% increase from August. Increases in the number of brands attacked suggests cybercriminals are casting wider nets at organizations that may not be as well protected or are less familiar with the threat.

US Bank Types Attacked

In the U.S. banking sector, nationwide bank brands witnessed a 10% increase in attacks, accounting for about three out of every four attacks in September. This is not surprising as phishers tend to seek a brand that is well-known and has multiple locations within a region, such as nationwide banks. In this case, there is a larger pool of potential victims and the chance of a spam recipient being an account holder of the targeted brand is much higher.

Top Countries by Attack Volume

Despite a 22% decline in attacks, the UK continues to be the country that endured the highest attack volume, marking the seventh consecutive month, with 47% of attack volume. In turn, Canada absorbed most of this with 17% of attack volume in September.

Top Hosting by Attacked Brands

In September, U.S. brands continued to be the most targeted by phishing, targeted by 29% of attack volume, followed by the UK and Australia.

Top Hosting Countries

In September, the U.S. continued to be the top hosting country for phishing attacks hosting 77% of attacks. Poland, the UK, Canada, and France accounted for hosting just over 10% of attacks in September.

Previous RSA Online Fraud Report Summaries:

  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s September Online Fraud Report 2012 including a summary of rogue mobile apps

In their September Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Threats and risks in today’s mobile app marketplace

In terms of mobile security, some mobile application (app) platforms, such as Apple’s AppStore, are known to employ strict rules to which application developers are obliged to adhere.

Other mobile app platforms, such as Android’s Google Play, are more flexible with regards to mobile apps. While providing application developers with a programming platform that is optimized for convenience and ease-of-entry into the app marketplace, it is these very qualities that have made Android the most heavily targeted mobile operating system, with Android apps by far the most widely used vehicle for spreading mobile malware.

Apps are one of the driving forces behind today’s smartphone market. Their download to mobile phones makes them an attractive new attack vector for cybercriminals along with other mobile phone attributes: the shortened URL, low security awareness among users, and the ease of copying a mobile webpage’s layout for malicious purposes.

This risk extends to the corporate setting with companies increasingly adopting Bring- Your-Own-Device (BYOD) policies, in which employees’ devices double as platforms for both personal and work-related communications. Apps that intercept a mobile user’s email and phone communications for example, may gain access to corporate communications, as well.

Types of Rogue App Payloads

According to a research study on Android malware conducted by the Department of Computer Science at North Carolina State University, 86% of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone, making their detection more difficult. The same study found that many others piggyback on genuine app updates to remain undetected.

The payloads these apps install after being downloaded to a device vary widely, and can include:

  • SMS Sniffers. Apps that covertly collect SMS text messages, including passwords sent to users’ handsets, and forward this information to a remote drop point. Some of these include other stealth features to avoid raising the user’s suspicion, for example, functionality that turns off the alarm sound when new text messages are received and hides all incoming messages
  • Premium dialers. Apps that install themselves on the user’s handset and start dialing phone numbers or sending dummy text messages to premium-rate service numbers. This type of operation requires the setup of a bogus merchant, along with a fraudulent merchant ID through which cybercriminals can collect funds unwittingly siphoned out of user’s accounts. Handset owners would only become aware of the scam when seeing their bill the following month
  • SEO enhancers. Apps that repeatedly access a certain website, or websites, to increase their rankings in search engine’s results
  • Ransomware. Apps that lock a user’s handset and demand payment from users in return for relinquishing control of the mobile device
  • Spyware. Apps that send the attacker or spy (via a remote drop point) information garnered from a victim’s device including GPS data, intercepted calls and text messages, and phone contacts
  • Botnet clients / Bridgeheads. Apps that communicate with a cybercriminal via a command & control (C&C) server. These may be used as infrastructure for further malware downloads, much like ready-made PC botnets whose infected systems await to download banker Trojans or other malware pushed from the C&C server. These payloads act as a bridgehead by giving the perpetrator an initial foothold on the compromised device. The payload opens a port on the device, and listens for new commands issued from the fraudster’s C&C point. Later on, an encrypted payload may be downloaded to the user’s device

Android apps and their exploitation

At the end of H2 2012, Google announced that the number of devices running Android has reached 400 million, representing 59% of the world’s smartphone market. And to date, Android’s open source code platform has led to the publication of over 600,000 mobile apps. Android’s source code is based on the Java programming language, and its ease of use and low publisher entry fee has made it the most widely targeted mobile platform by malware developers, and the most widely attacked by today’s Trojans. The increased risk for Android app users has already led several anti-virus companies to release AV software for Android-run devices.

A Secure Venue for Apps

The official venue for Android applications is called “Google Play” (formerly known as “Android Market”). By default, each handset running Android is configured to exclusively allow the installation of apps downloaded from Google Play, and to block installation of apps downloaded from any other venue. This is to ensure a minimal level of security.

Downloading apps from Google Play provides an extra security benefit to Android users, as the store provides a “Remote Application Removal” feature, which allows apps that are retrospectively identified by Google as being malicious to be removed from relevant users’ handsets.

Another important security feature added to Google Play is “Google Bouncer,” which scans new apps, acting as a gatekeeper to keep out those identified as malicious.

Despite Android’s default Google-Play-only settings, Android users can still choose to install apps from venues other than Google Play by manually changing their devices’ security settings. Aware of the security issues this may raise, Android users are presented with a warning message when selecting this option.

Android App Permissions

As a second security measure, prior to the installation of an Android app on most Android-based OSs, the app requests certain system permissions, all which have to be approved before the app can be installed on the device. Whereas legitimate apps normally request only one or two permissions, rogue apps are known to request a long list of permissions before installing themselves.

Currently, this is the main security obstacle for rogue Android apps, which some Trojan coders have managed to bypass through socially engineered schemes. For example, RSA has previously detected a mobile-malware app (SMS sniffer), which presented itself as security software. The app requested nine different permissions, including permission to boot the handset, change system settings, and send text messages. Unsurprisingly, the app was offered from a standalone domain not affiliated with any app store.

RSA’s Conclusion

Today, the payload app may remain on a device even after the host app (with which it was downloaded) has been removed. This makes initial detection and removal of the app from the app store that proffers it even more crucial.

As with PC-based malware, educating consumers to raise awareness of today’s mobile threats and urging them to take precautions against rogue apps, will be of paramount importance to mitigating mobile threats in years to come.

Phishing Attacks per Month

In August, 49,488 unique phishing attacks were identified by RSA, marking a 17% decrease from July. The bulk of this decrease is a result of fewer phishing campaigns launched against European financial institutions which have accounted for significant spikes in recent months.

Number of Brands Attacked

In August, 290 brands were subject to phishing attacks, marking a 20% increase from July. This considerable increase shows that cybercriminals are expanding their phishing targets wider, to new organizations and new industries not targeted in recent months. More than half of the brands affected by phishing in August were targeted by more than five phishing attacks.

US Bank Types Attacked

In the U.S. financial sector, nationwide banks experienced a 7% decrease in phishing attacks. However, brands in this segment continue to be most targeted by phishing attacks, hit by two out of every three attacks in August.

Top Countries by Attack Volume

In August, the UK continued to get hit by the majority of worldwide phishing attack volume for the sixth consecutive month, accounting for about 70% of all global phishing volume. The U.S. and Canada continued to remain second and third on the list.

Top Countries by Attacked Brands

In August, the U.S., UK and Australia were the top three countries whose brands were most affected by phishing, targeted by 45% of global phishing attacks during the month.

Top Hosting Countries

The U.S. hosted the vast majority of phishing attacks in August with 80%, followed by Canada, the UK and Germany.

Previous RSA Online Fraud Report Summaries:

  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Advance malware threats are growing at an alarming rate

FireEye have published their Advanced Threat Report for the first half of 2012. The results are based on their knowledge of Advanced Persistent Threats and the rest of the malware market.

Their key findings are:

  • Organizations are seeing a massive increase in advanced malware that is bypassing their traditional security defenses.
  • The patterns of attack volumes vary substantially among different industries, with organizations in healthcare and energy/utilities seeing particularly high growth rates.
  • The dangers posed by email-based attacks are growing ever more severe, with both link and attachment-based malware presenting significant risks.
  • In their efforts to evade traditional security defenses, cybercriminals are increasingly employing limited-use domains in their spear phishing emails.
  • The variety of malicious email attachments is growing more diverse, with an increasing range of files evading traditional security defenses.

Finding 1: Explosion in Advanced Malware Bypassing Traditional Signature-Based Defenses

The malicious advanced malware organizations have to contend with has grown dramatically, not just in terms of volume, but in its effectiveness in bypassing traditional signature-based security mechanisms. On average, organizations are experiencing a staggering 643 Web-based malicious events each week, incidents that effectively penetrate the traditional security infrastructure of organizations and infect targeted systems.

This figure includes file-based threats that are delivered over the web and email. File-based threats can be malicious executables, or files that contain exploit s targeting vulnerabilities in applications. They are downloaded directly by users, via an exploit, or links in emails. The statistic of 643 infections per week does not include callback activities, which largely happen over the Web.

Compared to the second half of 2011, the number of infections per company rose by 225% in the first half of 2012. If you compare the first six months of 2011 with the first six months of 2012, the increase seen is even larger at 392%.

These figures are not the total found in the so-called “wild”, but are the number of Web-based infections that successfully evaded organizations’ existing security defenses, such as next-generation firewalls and AV.

  • Users remain very susceptible to clicking on malicious links, especially when those links exploit social engineering tactics.
  • Embedding malicious code within Hypertext Transfer Protocol (HTTP) traffic is proving effective at bypassing traditional security mechanisms.
  • As a result of these two dynamics, cybercriminals see that their tactics are working, so the number of attacks they launch continues to grow

Explosive Growth in Advanced Malware Infections

  • Growth from 2H 2011 to 1H 2012: 225%
  • Growth from 1H 2011 to 1H 2012: 392%

Finding 2: Patterns of Attacks Vary Substantially by Industry—Attacks on Healthcare up 100%, 60% in Energy/Utilities

When assessing the average number of incidents that evade traditional security defenses, patterns and trends vary substantially across industries. For the most part, each industry experiences peaks in attack volumes at different times.

A couple of industries that are prone to high incidents were excluded from this report. Education was excluded since little, if any, control can be had over student systems and in general students are surfing more and visiting more risky sites. Also government was excluded since it is common for government agencies to receive data from FireEye but not send information back to FireEye.

The figures below illustrate the monthly incidents, including inbound attacks as well as outbound exfiltration and communication attempts. These incidents were identified by the FireEye MPS appliances deployed globally within the networks of customers and technology partners.

Healthcare

Between January 2012 and June 2012, the number of events detected at healthcare organizations has almost doubled. Compared to other industries, however, there has been a more consistent pattern of malicious activity, indicating a persistent and steady threat confronting these organizations.

As healthcare organizations move toward the adoption of electronic health record systems and digitally store and manage Personally Identifiable Information (PII), these sensitive assets seem to be coming under increasing attack by cybercriminals.

Financial Services

Between the second half of 2011 and the first half of 2012, the financial services industry has seen a massive increase in terms of the average number of events per customer for that industry. In May 2012 the industry saw more events than the entire second half of 2011. Compared to healthcare, there have been more dramatic fluctuations in this market. The most dramatic shift discovered was a huge spike in May 2012, followed by a drop-off in June, which was a pattern also seen in May and June of 2011.

Technology

Companies in the technology sector continue to be the most targeted organizations. While total numbers have remained relatively stable on a month-to-month basis, overall numbers remain high compared to other industries.

Energy/Utilities

In the energy/utilities sector, there have also been some significant fluctuations in incidents, however the overall trend indicates a huge increase. In the past six months, energy and utility organizations have seen a 60% increase in incidents.

As the Night Dragon attack dramatically illustrated, critical infrastructures of energy and utility companies are under attack. In this case, criminals went after intellectual property, information on ongoing exploration, and records associated with bids on oil and gas reserves. Due to current geopolitical dynamics, data surrounding the sources of fossil fuel-based energy in particular are some of the most targeted assets.

Finding 3: The Intensified Dangers of Email-Based Attacks, Both Via Links and Attachments

While the APT attacks that have been reported on in recent years have exhibited a range of different tactics, it is clear that there is one very common characteristic: email is the primary channel through which the attacks are initiated. Operation Aurora, GhostNet, Night Dragon, the RSA breach, and the majority of the other APTs that have been publicly documented have been initiated at least in part through targeted spear phishing emails. The bottom line is that organizations looking to stop APTs absolutely have to have capabilities for detecting and guarding against these kinds of attacks.

To gain entry into an organization’s network, cybercriminals are launching their attacks through spear phishing emails. These emails either use attachments that exploit zero-day vulnerabilities or malicious and dynamic URLs. Between 1Q 2012 and 2Q 2012, there was a 56% increase in the amount of email-based attacks that successfully penetrated organizations’ traditional security mechanisms.

During the course of 2012, there has been significant fluctuation in the amount of malware delivered via attachments versus links. In January 2012, the number of malicious links represented about 15% of the volume of malicious emails. By May and June however, the volume of malicious links outnumbered malicious attachments.

Moving forward, we expect to see continued fluctuation in the relative numbers of these categories on a monthly basis, but don’t expect that either one will dramatically or permanently overtake the other in the long term. The critical takeaway is that both of these types of threats exist in significant numbers, and that organizations need to guard against both of these threat vectors to effectively strengthen their security posture.

As zero-day application vulnerabilities are patched, file attachments used in attacks wane and cybercriminals return to Web-based vectors. However, as we have seen in the past, a new crop of zero-day application vulnerabilities is always just around the corner, leading cybercriminals to return to file attachment-based attacks.

Finding 4: Increased Prevalence of Limited-Use Domains in Spear Phishing Attacks

In their efforts to bypass organizations’ security mechanisms, cybercriminals have continued to employ increasingly dynamic tactics. The continued explosion of malicious domains used in spear phishing attacks illustrates the unsolvable problem facing technologies that rely on backward-facing signatures, domain reputation analysis, and URL blacklists.

Criminals are increasingly employing malicious URLs for only a brief period of time before they move on to using others. “Throw-away” domains are malicious domain names used only a handful of times, say in 10 or fewer spear phishing emails. These domains are so infrequently used that they fly under the radar of URL blacklists and reputation analysis and remain largely ignored and unknown. As the chart on the next page illustrates, the number of throw-away domains identified increased substantially in the first half of 2012.

Through social engineering, cybercriminals are personalizing emails and then using throw-away domains to bypass the signature and reputation based mechanisms that organizations rely on to filter out malicious emails. It is important to note that these URLs are sometimes randomly generated, and sometimes tailored to a specific tactic. In the second half of 2011, domains that were seen just once comprised 38% of total malicious domains used for spear phishing.

In the first half of 2012, that figure grew to 46%. The graph below shows that the overall volume of spear phishing emails is increasing and our domain analysis also shows the ratio of emails that use limited-use domains is also on the rise.

Finding 5: Increased Dynamism of Email Attachments

As outlined earlier, email-based attacks are used to initiate the bulk of the APT s reported, and guarding against both malicious attachments and URLs distributed via email is a critical mandate for organizations. Email-based attacks are the first tactic cybercriminals employ in order to get through the target’s perimeter defenses and gain a foothold in the network. As security teams seek to guard against malicious email attachments, however, they are encountering a fundamentally evolving dynamic in the makeup of these files. Just like URLs, the use of malicious attachments is growing increasingly dynamic.

Over the past twelve months, the diversity of attachments that led to infections has expanded dramatically. In the second half of 2011, the top 20 malicious attachments accounted for 45% of attachments that evaded organizations’ perimeter defenses. In the first half of 2012, the variety of malicious attachments increased so that the top 20 malicious attachments only accounted f or 26%, nearly half of the figure in the second half of 2011. These numbers make clear that cybercriminals are changing their malware more quickly, employing a longer list of file names, and reproducing malware and morphing it in an automated fashion. In this way, the task of creating signature based defenses to thwart these malicious files grows increasingly difficult.

Between the second half of 2011 and the first half of 2012, the average number of times a given malicious attachment was sent in an email dropped from 2.44 to 1.87.

FireEye’s conclusions on its report

As this report amply illustrates, organizations are under persistent attack, and the attacks being waged continue to grow more dynamic, effective, and damaging. For organizations that continue to rely solely on firewalls, IPS, AV, and other signature, reputation, and basic behavior-based technologies, it is abundantly clear that compromises and infections will continue to grow. To effectively combat these attacks, it is imperative that organizations augment their traditional security defenses with technologies that can detect and thwart today’s advanced, dynamic attacks. This requires capabilities for guarding against attacks being waged on the Web, and those being perpetrated through email, including spear phishing emails that use malicious attachments and URLs.

.

RSA’s August Online Fraud Report 2012 including a summary of Fraud as a Service (FaaS)

In their August Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below.

A five-year retrospect on Fraud as a Service (FaaS) reveals that the types of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.

Underground criminals buy and sell goods and services around the clock. The fact that these markets operate online eliminates borders and physical distance, allowing people from different parts of the world to wheel-and-deal and to partner-up in the orchestration of fraud cash-out cycles without ever meeting or speaking on the phone.

What do they sell?

For phishing – scam pages, complex phishing kits and custom kit plugins, spamming services, email databases, junk traffic, SEO poisoning, email cracking tools, spam software, and SMS spoofers, to name a few. After the attacker gathers the spoils, fraudsters can opt to buy the already-harvested databases of phishing attacks or purchase unitary ‘logins’ in an online shop selling compromised data.

For botmasters –  Trojan-related facilitators exploit kits, malware spam, botnets, Trojan kits, HTML injections, customized malicious code, encryption services, bulletproof hosting, pay-per-installs/affiliate infection schemes, plugins, set-up and tech support.

Hardly ever does one fraudster take on the complete fraud cycle; rather, fraudsters opt to partner with more experienced criminals or offer up their own expertise (such as performing in-store pick up of goods obtained with stolen credit card data). Much like real-world crime, each actor ‘gets his hands dirty’ to different extents. Bottom line – the fraudulent transaction is turned into cash in different ways and the profits are shared among those involved.

Those who don’t have any trustworthy connections in the world of fraud find and use transfer and cash-out services. Money mule, cash-out services and Item-drop mules have become ever so popular, that some vendors have already automated them for those who attempt the bulk of transactions each day bot herders and ‘carders’.

Almost all busy criminals today connect with a mule repository operator and have their fraudulent transactions go through the vendor’s mules, receiving a cut of each successful transaction as per a mutual agreement. Some cases of mule-repositories are part of the fraud cycle of one gang.

Recent underground fraud services:-

Hire a “Man-in-the-Middle”

One of the more interesting recent FaaS offers was found in an underground forum, posted by a Russian-speaking member offering his infrastructure for very temporary hire, alongside his own services as a man-in-the-middle facilitator. The botmaster had a few perks for customers who wish to attempt Trojan attacks without having to set up anything whatsoever:

  • Rent the infrastructure – gain access to infected bots
  • Pay to target and harvest – send over a trigger and a Trojan injection and those will be pushed to existing infected bots on the botnet (through a Trojan configuration file update)
  • Pay to attack – the botmaster will facilitate fraudulent transaction attempts using his Trojan’s remote administration access to bots

Buy a Botnet

The vendor behind this offer was also working in collaboration with other cybercriminals, each offering a related service a bot herder would need for the set up and operation of a botnet.

Automated Customer Support

In the recent past, Trojan developers only offered support via live chat using instant messaging services (Jabber, ICQ). A developer could only support a limited number of chats until the burden of supporting his customers became too great and support deteriorated or stopped altogether.

Trojan developers did understand the substantial need for customer/technical support and took pains to find new ways to preserve their customer base. To get an idea about just how ‘real’ customer support has become, take a quick look at this SpyEye vendor’s page. Notice the headers on the page; much like legitimate software companies – they direct users to an FAQ page, an “About SpyEye” section, and provide a detailed web form that can be sent directly to the vendor’s alleged support team, automating the process.

Many of today’s fraud service vendors put strong emphasis on supporting their buyers, offering guarantees and assistance, from the exchange of faulty or invalid cards and access credentials, all the way to providing set-up, tutorials, and tech support to those who have to operate on going online fraud operations (botnets, CC shops, exploits etc.).

One cannot mention excellent cybercrime customer support today without “Citadel” coming to mind. The team developing the Citadel Trojan has long established itself as the new go-to crimeware vendor, well on their way to inheriting the Zeus Trojan market share they built upon. The most unique feature this team offers to botmasters using Citadel is a clever CRM model that supports, tickets, listens and advises members on how to set up and operate their Trojans. The CRM is not optional! All botmasters must join it and pay a fixed monthly fee for their membership.

RSA’s conclusion

A better cybercrime marketplace, much like organized crime in the physical world, increasingly affects the world’s economy by the sheer amounts of money it taxes it every year. The worst part about this dark economy is its faceless, covert nature and thus the hardship in quantifying and understanding the extent of its damage.

Stronger crime economies are a burden on the legitimate economy in hard costs but do not stop there. This large scale clandestine operation also affects crime statistics and touches real-life aspects of law enforcement and the legal system. Due to cybercrime’s global, scattered nature, fighting it often requires internationally coordinated investigations and arrests, further taxing the resources of each nation touched by digital crimes.

Phishing Attacks per Month

Phishing attacks in July increased 14% from June, marking yet another high of 59,406 attacks in a single month. In examining an overall spike in attacks, the bulk of last month’s increase can be attributed to highly targeted phishing campaigns launched against a series of financial institutions in Europe.

Number of Brands Attacked

In July, a total of 242 brands were targeted with phishing attacks, marking a 7% drop from June. As compared to July 2011, last month’s list of phishing targets demonstrates a 25% year-over-year drop in the number of targeted brands.

US Bank Types Attacked

There was very little change in how the U.S. banking sector was targeted by phishing in July. Nationwide banks still continue to be targeted by about three out of every four phishing attacks. This reflects the tendency of cybercriminals to attack larger financial institutions.

Top Countries by Attack Volume

For the fifth consecutive month, the UK was targeted by the highest volume of phishing attacks, followed by the U.S. and Canada. The UK endured 70% of worldwide attacks, its highest portion ever.

Top Countries by Attacked Brands

Although the UK was targeted by 70% of phishing volume in July, the U.S. continues to be the country with the greatest number of targeted brands. Brands in the U.K., Brazil, India, and Australia collectively were targeted by 27% of attacks in July.

Top Hosting Countries

The U.S. hosted 79% of worldwide phishing attacks last month, its highest portion to date according to the RSA Anti-Fraud Command Center. Canada, the UK and Germany accounted for hosting an additional 10% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Counting the cost of e-crime to retailers. Actually it’s £205.4 million a year.

The British Retail Consortium (BRC) has released the findings of their first e-crime study. The study is based on responses to a quantitative survey conducted between April and May 2012. Respondents were members of the BRC drawn from a selection of key retailing types including supermarkets, department stores, fashion, health and beauty and mixed retail. The retailers questioned constitute around 45 per cent of the UK retail sector by turnover.

The headline finding is the total cost of e-crime to the retail sector was £205.4 million in 2011-12

This estimate comprises three main components:

1. E-crime Overall. The UK retail sector lost £77.3million as a result of the direct costs of e-crime.

2. Security Data, provided by retailers questioned in this survey suggests that, in 2011-12, at least £16.5 million was spent by the retail sector to provide better protective security for customers against e-crime. This figure excludes payments to banks for systems such as 3D Secure and ‘chargebacks’.

3. Lost Revenue. Estimated losses in revenue experienced as a result of legitimate business being rejected through online fraud prevention measures came to £111.6 million in 2011-12.

The key components making up the direct costs of e-crime were:

  • Identification-Related Frauds such as account takeovers which were the most costly variety of online fraud for retailers, resulting in at least £20 million of losses in 2011-12
  • Card and Card Not Present Frauds which were the next most costly variety, resulting in a minimum of £15 million of losses to the sector in this period
  • Refund Frauds which produced £1.2 million in known losses

The costs of e-crime to the retail sector are further inflated by the need to guard or restore systems against other kinds of threat such as malware, Distributed Denial of Service (DDoS) attacks or hacking. Since retailers do not yet collect precise data on this type of compromise to their systems, the research was unable to derive an overall cost estimate for these losses.

However, the research did find that repairing or restoring systems after DDoS attacks alone now costs up to £100,000 on average. Once these other varieties of threat are factored in, the true cost of e-crime to the retail sector is likely to be far higher than the estimate provided above.

E-Crime – The Emerging Threat

  • The most common fraud experienced by retailers in 2011-12 was Card Not Present fraud, with nearly 80% of UK retailers questioned in the survey stating that this was now common or very common.
  • Identification-Related Fraud was the second most common category with around 50% of retailers saying that the use of false identification was now a common or very common tactic in attempts to defraud their online systems.
  • If other misuses of personal identification (such as account-takeover frauds) are included under the heading of Identification-Related Fraud, then this emerges as the most prevalent category – with around 78 per cent of UK retailers reporting such frauds to be common or very common.
  • Increased threats to e-commerce were also found to be linked to disruptions caused by attacks upon online trading systems. For example, over 20% of retailers reported that Distributed Denial of Service (DDoS) attacks caused serious or very serious disruptions to their systems in the period surveyed.
  • Phishing appears to be a particular problem for UK retailers, with some respondents indicating that a single phishing attack within the period surveyed could have cost the company concerned up to £2 million to deal with. The negative impacts of phishing upon retail reflect a global trend which has indicated that, after US companies, UK brands and companies are now the second most targeted globally (RSA 2012). Find a link to 10 RSA monthly summaries at the bottom of the post.
  • Although more sophisticated attacks like phishing or hacking are often carried out by perpetrators from outside the UK, retailers questioned in this survey suggested that the majority of frauds continue to be perpetrated domestically. Retailers reported that around 86% of attacks originate within the UK
  • The extent and sophistication of the threat is likely to be due to the high level of online sales in the UK.
  • 75% of respondents reported that over 80 per cent of their sales occurred in the UK. Nevertheless, the research found that retailers were often unclear about the breakdown between UK and foreign originated e-crime perpetrated against them.
  • When combined with the difficulties retailers face in tracing the origin of e-crime and the lack of intelligence from law enforcement, the level of e-crime originating outside the UK is likely to be far higher than the estimates provided in this research.

Managing e-crime – Security and Effectiveness

  • 8% of the current losses from e-crime relate to security costs, with the survey indicating that firms across the retail sector spent at least £16.5 million on internal and external security provision.
  • The most significant component of this figure was staffing security systems which cost the sector at least £10.5 million in 2011-12.
  • Investment in security technology amounted to around £6 million for the same period.
  • Online security is managed through both internal and external provisions with third party screening continuing to be the most common, and most expensive, option. The data was not sufficiently robust to enable an overall projection of costs for outsourcing security provision to third parties. However some respondents indicated that this could be as high as 7 pence per transaction.
  • 71% of respondents supplemented third party screening with other automated methods of security such as 3D Secure.
  • 71% of retailers were also deploying the Address Verification System (AVS).
  • 78% of respondents stating that they use customer order history to make online purchases more secure.
  • 64% of respondents also contact the customer or card issuer directly to verify the details of a purchase.
  • 50% of respondents were contemplating investment in new methods or technologies in the future.
  • This increasing expenditure will inevitably lead to higher costs than those outlined within this research.

Law Enforcement Responses and Government Support

Respondents highlighted a number of concerns around the policing of e-crime with the survey finding uniformly low levels of satisfaction with current police responses to retail e-crime.

  • At least half of retailers said they were dissatisfied with current responses
  • Over a quarter of the total expressing strong dissatisfaction
  • 14% indicated that they were very satisfied with current law enforcement support

The reason for such low levels of reporting and satisfaction was that e-crime is not considered to be a priority by many police forces. There were also concerns that national units such as the National Fraud Intelligence Bureau or the Police Central e-Crime Unit (PCeU) do not have the resources or capacity necessary to carry out further investigations.

The research found that there were significantly low levels of reporting.

  • 60% of retailers questioned said they would be unlikely to report any more than 10% of e-crimes to the police. This was largely due to retailers’ concerns with the law enforcement approach to policing e-crime offences.

Of the frauds that were reported to the police, Card Not Present Frauds were the most common

  • 36% of respondents indicating that these would be reported
  • 14% said that they would report other kinds of fraud such as Credit Fraud (by Account Takeover).

Retailers also raised the need for greater government support

  • 57% of respondents expressed strong or moderate dissatisfaction with current support from government
  • Many retailers felt that there was scope for government to offer more support to UK businesses by informing them about potential threats to their business and providing guidance or advice on how best to mitigate these threats

British Retail Consortium Director General Stephen Robertson, said:

“The rapid growth of e-commerce in the UK shows it offers great benefits for customers but also new opportunities for criminals.

“Online retailing has the potential for huge future commercial expansion but Government and police need to take e-crime more seriously if the sector is to maximise its contribution to national economic growth.

“Retailers are investing significantly to protect customers and reduce the costs of e-crime but law makers and enforcers need to show a similarly strong commitment.

“This first comprehensive survey assessing the make-up and scale of e-crime shows where efforts need to be directed.

“Law enforcement and the Government need to work with us to develop a consistent, centralised method for reporting and investigating e-crime and resources must be directed to e-crime in line with the emerging threat. This will encourage retailers to report more offences and allow the police to better identify and combat new threats.”

Find 10 monthly RSA Online Fraud report summaries here.

.

RSA’s July Online Fraud Report 2012

In their July Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

Phishing attacks continue to increase around the world. In the first half of 2012, the RSA Anti-Fraud Command Center identified 195,487 unique phishing attacks, an increase of 19% as compared to the second half of 2011.

Global fraud losses down despite a 19% increase in phishing attacks

Despite the increase, however, fraud losses from phishing are on the decline. RSA estimates that phishing attacks in the first half of 2012 could have potentially caused $687 million in total losses to global organizations. It is also worth reading my previous post “A new report indicates that UK fraud has fallen by 50% in the last 12 months…”.

So why are fraud losses decreasing? One reason is that the industry is simply getting better at fighting back. A major factor in determining fraud losses caused by phishing is measuring the lifespan of an attack. The longer an attack is live, the more victims there are that are potentially exposed and at risk of having their credentials stolen. By reducing the lifespan of a phishing attack through early detection and shutdown, organizations narrow the window of opportunity for cybercriminals to commit fraud.

In the first half of 2012, the top ten countries that experienced the highest volume of phishing attacks include:

  1. United Kingdom
  2. United States
  3. Canada
  4. Brazil
  5. Netherlands

There have been major increases in phishing attack volume in some countries, while in other countries, it has declined slightly. One of the most significant increases was in Canada where phishing increased nearly 400% in the first half of 2012. There have been many observations as to why the sharp increase, but the main reason is simply economics, fraudsters follow the money. See my previous blog “Criminal logic; follow the money and find easy targets”. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become a lucrative target for cybercrime.

On the other hand, the U.S. experienced a 28% decline in phishing volume in the first half of the year. Other countries that have seen phishing volume decrease include Brazil, the Netherlands, Germany, Australia and South Africa.

Phishing Attacks per Month

In June 2012, phishing volume grew considerably. RSA identified 51,906 unique phishing attacks, a 37% increase. The recent spike in phishing volume can be partly attributed to the advanced technology and fraud services offered by cybercriminals in the underground including ready-made spam databases, custom coded malware designed to automate site hijacking and the hosting of malicious pages, as well as sophisticated spambot services.

Number of Brands Attacked

Despite the huge spike in phishing volume, the number of brands targeted by phishing attacks throughout the month of June decreased 13%.

US Bank Types Attacked

In the U.S. financial sector, nationwide bank brands saw a 16% increase in phishing volume in June while credit union brands saw a 10% decrease and regional bank brands saw a 6% decrease.

Top Countries by Attack Volume

The UK endured the largest volume of phishing attacks in June, despite seeing a drop of 21% in attack volume (from 63% to 42%). Canada was the country with the second largest volume of attacks, with a considerable increase from 3% to 29% in June. A surprising newcomer, Norway, experienced 2% of phishing volume.

Top Countries by Attacked Brands

The U.S., UK and Australia remain the three countries whose brands are most affected by phishing – targeted by 43% of phishing attacks in June. Brands in India, Brazil, Canada, Italy and China also remained heavily targeted by phishing in June.

Top Hosting Countries

The U.S. continues to be the country that hosts the most phishing attacks. In June, six out of every ten phishing attacks were hosted in the U.S. Russia and Poland – both newcomers to the Top Hosting Countries list – hosted 5% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

RSA’s June Online Fraud Report 2012

In their June Online Fraud Report RSA reports on the activity of online fraudsters, full summary below.

RSA researchers have been following Ransomware campaigns and Ransomware Trojan attack waves and have recently analyzed a new variant that holds infected PCs hostage until their owners make a €100 payment to the botmaster.

Ransomware is the type of malware that can infect a PC and then lock the user’s data most commonly by encrypting files or by injecting a rogue MBR (master boot record) to the system’s start-up routine.

Ransomware can come as standalone malicious code or coupled with other malware. This type of malicious campaign has been on the rise and are ever popular, with many recent cases combining banking Trojans with Ransomware. While the user’s files are typically locked until the ransom is paid, the victim is still free to browse the Internet, thus allowing the banking Trojan to continue collecting information on the victim uninterrupted.

The Trojan involved in the cases studied by RSA is a Ransomware that begins by checking for the future victim’s geo-location and adapting a ransom page to the local language for thirteen different countries. The fact that this malware aims at 13 specific countries may seem targeted enough at first sight, but it is only the case of one variant – if this malware is shared or sold with other criminals, they could easily adapt it to their own targets.

RSA researchers were able to recognize 13 different ransom kits available for this Trojan. All kits are located in the same folder, where some countries have two different types of images that can be downloaded and used by the Ransomware (in cases when more than one language is spoken in that country, such as Belgium).

After the Ransomware kit infected the PC, it was downloaded and unpacked locally. This is the point at which the Trojan begins its primary communication with the botmaster’s remote server.

The communication includes three main purposes:

  1. Inform the botmaster of the addition of a new bot, send infected machine’s IP address (and then used to define the infected PC’s physical location)
  2. Obtain a blacklist of potentially fake prepaid card/voucher numbers defined by the botmaster
  3. Ping the botmaster to use the C&C as a drop for the coming ransom payment (in the shape of a card PIN/voucher number)

This Trojan also makes a few copies of itself and saves them under different names locally on the infected PC.

Much like other Trojans, this Ransomware is managed via server side scripts on the botmaster’s resources. The variant analyzed in this case used four resources, all of which were located on the same physical server, using two different IP addresses held with a Russian-based ISP – typical for the vast majority of Ransomware.

RSA was able to deduce that the Ransomware analyzed is actually part of a larger cybercrime operation. The botmasters behind this malware variant are clearly bot-herding and monetizing their botnets using a loader Trojan, banking Trojans and Ransomware variants. The server hosting the Ransomware has proven to also be a drop zone for stolen credentials amounting to well over €80,000.

RSA Conclusion

Ransomware has been gaining speed among cybercriminals and bot-herders, likely because this extortion method works and keeps paying off, as victims believe that if they pay, their system will be unlocked.

With ransom amounts averaging €100, it seems as though botmasters behind these scams keep the fee relatively low, possibly so that the victim may prefer to pay it in hopes of releasing the hold on their PC rather than contact a support professional. Another factor keeping victims quiet are typical Ransomware accusations, including things such as software and music infringement. It is very possible that users do not know they were infected by malware and are not keen on contacting someone about it, thus allowing this type of malware to enjoy its continued popularity.

Phishing Attacks per Month

In May 2012, phishing volume increased by 7%, with a total of 37,878 global attacks identified by RSA. The bulk of the increase observed in the past two months is a result of highly targeted phishing campaigns launched against a small number of financial institutions.

Number of Brands Attacked

The number of brands targeted by phishing attacks throughout May increased by 4%, and 50% endured less than five attacks.

Types Attacked

Phishing attacks against U.S. nationwide bank brands decreased by 20% while credit unions saw a 13% increase in phishing volume in May.

Top Countries by Attack Volume

After being targeted by 28% of worldwide attacks in April, Canada saw a huge drop in attack volume in May to just 3%. The UK remains the most heavily targeted country for the third consecutive month, enduring more than 60% of global phishing volume in May.

Top Countries by Attacked Brands

The countries with the most attacked brands in May were the U.S., UK, and Australia, accounting for 47% of all phishing attacks. Brands in Brazil, India, Canada, China, France and Italy also continue to remain highly targeted by phishing.

Top Hosting Countries

The U.S. saw an increase of10% in the number of phishing attacks it hosted in May – increasing to 66%, or two out of every three attacks. Brazil also remained a top host with 9% and Germany with 4%.

Previous RSA Online Fraud Report Summaries:

  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

Blog at WordPress.com.

Up ↑

%d bloggers like this: