Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

RSA Security

RSA’s September 2013 Online Fraud Report featuring a review of “education in the cybercriminal world”

RSA‘s September 2013 Online Fraud Report discusses the improvement in cybercriminal skills and how education offered online with support of tutors, course work and counselling is increasing the threat to businesses and people alike.

RSA have seen an increase in ads by established criminals advertising courses they commonly carry out via Skype videoconferencing. To add value, “teachers” are offering interesting fraud courses, following those up with individual tutorials (Q&A sessions) after students join their so-called schools.

Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster trade schools further offer ‘job placement’ for graduates through their many underground connections with other experienced criminals. Interestingly, some of the “teachers” go the extra mile and vouch for students who show “talent” so that they can join the underground communities they would otherwise not be able to access.

Some cybercrime professors even enforce a rigid absentee policy:

  • Students must give a 2 hour advanced notice if they cannot attend.
  • Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for the next class.
  • Students who fail to pay absentee fees will forfeit the entire deposited fee.

The following section presents some examples of cybercrime schooling curriculums exposed by RSA fraud analysts.

Beginners’ cybercrime classes

The first level is designed for beginners, teaching the basics of online financial fraud. The Cybercrime Course Curriculum:

  • The Business of Fraud – Credit cards, debit cards, drop accounts, how all it works, who are the clients, prices, risks
  • Legal Aspects – How to avoid being caught by the authorities. What can be used against you in a court of law? Building Your Business Where to find clients? How to build a top-notch fraud service
  • Transaction Security – How to avoid getting scammed and shady escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)

Courses in card fraud

Criminals further offer the much in demand payment card fraud classes – one course per payment card type. Card Fraud Course Curriculum:

  • The Business – Drops, advertising, accomplices, chat rules and conventions
  • Legal Security – Dealing with law enforcement: who is accountable for the crime in organized groups, what can be collected as evidence
  • Building Your Business – Invaluable tips that will help develop your service to top level, and help acquire customers
  • Security of Transactions – Common patterns of rippers/ripping, how to identify scams, how to use escrow services
  • Price per lecture 2,500 Rubles (about $75 USD)
  • Price per course 2,500 Rubles (about $75 USD) Both courses 4,000 Rubles (about $120 USD)

Anonymity and security course

Stressing the importance of avoiding detection and maintaining anonymity, this course teaches a fraudster the art of avoiding detection, and how to erase digital “fingerprints”. The tutoring vendor offers practical lessons in configuring a computer for complex security and anonymity features. This course includes a theoretical and a practical section, with a duration estimated at four hours. Anonymity Course Curriculum:

  • Configuring and using Anonymity tools – Antivirus and firewall, Windows security(ports and ‘holes’), virtual keyboards, shutting off browser logging, eliminating history/traces on the PC, applications for permanent data removal, data encryption on the hard drive, Anonymizer applications, VPN – installation/configuration, using SOCKS – where to buy them, hiding one’s DNS server, dedicated servers, TOR browsers, safe email mailboxes, using disposable email, using a cryptic self-destruct flash drive, creating cryptic self-destruct notes, extra advanced topic – tools for remotely liquidating a hard drive
  • Botnets – Independent study (online document/site link provided)
  • Using Chat Channels – Using ICQ, Skype, Jabber, registering Jabber on a safe server, OTR/GPG encryption in a Jabber chat, passing a key and chatting on a secure channel via Jabber
  • Legal – Electronic evidence one might be leaving behind, and that can be used against fraudsters by law enforcement
  • Price per course – 3,300 Rubles (about $99 USD) $35 – additional charge for installing VPN

Mule Herding Course Curriculum:

  • Theory section (2-3 hrs.) – Fundamentals – opening a mule-recruitment service, legal and practical security measures, finding accomplices and partners
  • Practical section (3-5 hrs.) – Receive a prepared transaction to handle, and earn 10% on this initial transaction (if one succeeds). If the student fails, a second transaction will be offered, at a cost of 1,500 Rubles ($45 USD) and no percentage earned.
  • Upon successful completion of the test, fraudsters receive official confirmation by public notice from the lecturer in the community. This part is only open to students who have completed the theory section, and have set up the anonymity and security tools and have the additional tools required for the transaction

One-on-one tutorials and consultations

With a money-back guarantee promised to students, one crime school offers personal one-on-one tutorials and problem solving sessions via Skype. Special tutorial topics:

  • Banking and Credit Cards – “Black and white” credit, fake documents, banking algorithms and security measures (Russian Federation only)
  • Debit Cards – The finer details of working with debit cards and setting up a service (Russian Federation only)
  • Registering and using Shell Corporations – Legal issues and practical problems in using Shell Corporations for fraud (Russian Federation only)
  • Legal Liability Issues – Your legal rights, practical advice on interaction with law enforcement agencies, counselling services even while under investigation (Russian Federation only)
  • Setting up Anonymity – Practical help in setting up anonymity, and answers to questions from the course (any country)
  • Price 2,000 Rubles (about $60) per hour

The school of carding

Approaching the subject that is highest in demand in the underground, vendors have opened schools for carding – teaching the different ways to use payment cards in fraud scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and indicates that he gives his personal attention to each student. The vendor also assures his students that his resources (compromised data) are fresh, personally tested by him, and never before made available on any ‘public’ lists.

School of Carding – Basic Curriculum:

  • Current Working BINs – Credit card BIN numbers that have been verified as successful in carding scenarios.
  • Websites for Clothing, Electronics, etc. – Which merchants make the best targets for carding?
  • Tips and Tricks – Extra insights from personal experience.
  • Price $25 USD

School of Carding – Advanced Curriculum

  • BINs and Banks – Recommended BIN numbers that give best results in carding
  • Tested sites – A list of tested e-commerce sites recommended for carding clothing, electronic goods, and more.

Phishing Attacks per Month

RSA identified 33,861 phishing attacks launched worldwide in August, marking a 25% decrease in attack volume from July. Based on this figure, it is estimated phishing resulted in an estimated $266 million in losses to global organizations in August.

US Bank Types Attacked

U.S. nationwide banks remained the most targeted with two out of three phishing attacks targeted at that sector in August while U.S. regional banks saw an 8% increase in phishing attacks.

Top Countries by Attack Volume

The U.S. remained the most targeted country in August with 50% of the total phishing volume, followed by the UK, Germany and India which collectively accounted for approximately 30% of phishing volume.

Top Countries by Attacked Brands

In August, 26% of phishing attacks were targeted at brands in the U.S., followed by the UK, Australia and India.

Top Hosting Countries

Four out of every ten phishing attacks were hosted in the U.S. in August. Canada, the Netherlands and the UK collectively hosted 25% of phishing attacks.

Previous 3 RSA Online Fraud Report Summaries

.

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

RSA’s April Online Fraud Report 2013, with a focus on the changes in Phishing tactics

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online.

In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011.

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year.

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security.

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.

Another similar example is reflected in time-delayed attacks again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns.

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more making them more likely to check out a link they received via email that day.

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –Switching letters, as in bnak or bnk for “bank”, adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey” – Swapping visually similar letters

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing.

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web.

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly.

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization.

RSA’s Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns.

Phishing Attacks per Month

In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil.

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA March 2013 Online Fraud Report Summary here.
  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.

.

RSA’s March Online Fraud Report 2013, with a focus on Email and Identity takeover

RSA’s March 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user’s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an email address to authenticate their users’ identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts.

Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their email accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities.

Since email accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the email address is most often the username in the provider’s systems or databases. When it comes to bank accounts, the customer’s email is where communications and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. Email takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user’s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim.

Although some webmail providers use two-factor authentication for account password resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts.

Since email is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via email. Hence, if a cybercriminal is in control of the email account, they will also gain control over the user’s account with that merchant.

From there, the road to e-commerce fraud shortens considerably, either using that person’s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that person’s/business’ service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don’t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders.

Email account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with email account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with that person’s choice of financial services providers, bank account types, card statements (paperless reports delivered via email), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more.

How Risky Is Email Account Takeover? Email account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on eBay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access email, where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies.

RSA’s Summary

Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an email address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer email accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt.

Phishing Attacks per Month

In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide bank brands were the prime target for phishing campaigns, with 69% of total phishing attacks, while regional banks saw an 8% increase in phishing attacks in February.

Top Countries by Attack Volume

The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February.

Top Countries by Attacked Brands

In February, U.S brands were targeted by 30% of phishing volume, continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. Other top hosting countries in February included Canada, Russia, Brazil and Chile.

See Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA February 2013 Online Fraud Report Summary here.
  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.

RSA’s February Online Fraud Report 2013 including an update on Phishing activity

RSA’s February 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA.

The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011. 

This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year. 

Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security. 

The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page.

What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one. 

Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns. 

Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day. 

Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading.

The most common ways of doing this are:

  • Switching letters, as in bnak or bnk for “bank”
  • Adding a letter at the end of the word or doubling in the wrong place, as in Montterrey for “Monterrey”
  • Swapping visually similar letters 

Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart. 

A quick search engine search for domain iwltter.com immediately revealed that it was registered by someone in Shanghai and already reported for phishing. 

But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that their spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t. This could be in part due to the fact that many kit authors are not native English speakers 

Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list, but is it very limiting in terms of exposure to the phishing attack itself. 

This case showed that phishers will use different ways to protect the existing campaign infrastructure they created and make sure strangers, as in security and phish trackers, keep out of their hijacked hostage sites while they gather credentials and ship them out to an entirely different location on the web. 

Water-holing in the phishing context became a tactic employed by attackers looking to reach the more savvy breed of Internet users. Instead of trying to send an email to a security-aware individual, attempting to bypass security implemented in-house and reinventing the phish, water-holing is the simple maneuver of luring the victim out to the field and getting him there. 

A water-hole is thus a website or an online resource that is frequently visited by the target-audience. Compromise that one resource, and you’ve got them all. Clearly fully patched systems will still be rather immune and secured browsers that will not allow the download of any file without express permission from the user will deflect the malware.

Water-holing has been a tactic that managed to compromise users by using an exploit and infecting their machines with a RAT (remote administration tool). This is also the suspected method of infection of servers used for the handling of payment-processing data. Since regular browsing from such resources does not take place on daily basis, the other possibility of a relatively wide campaign is to infect them through a resource they do reach out to regularly. 

Water-holing may require some resources for the initial compromise of the website that will reap the rewards later, but these balance out considering the attacker does not need to know the exact contacts/their email addresses/the type of content they will expect or suspect before going after the targeted organization. 

RSA Conclusion

Although there is not much a phishing page can surprise with, one can’t forget that the actual page is just the attack’s façade. Behind the credential-collecting interface lay increasingly sophisticated kits that record user hits and coordinates, push them from one site to the next, lure them to infection points after robbing their information and always seeking the next best way to attack. According to recent RSA research into kits, changes in the code’s makeup and phish tactics come from intent learning of human behavior patterns by logging statistical information about users and then implementing that knowledge into future campaigns. 

Phishing Attacks per Month In January, RSA identified 30,151 attacks launched worldwide, a 2% increase in attack volume from December. Considering historical data, the overall trend in attack numbers in an annual view shows slightly lower attack volumes through the first quarter of the year. 

Number of Brands Attacked

In January, 291 brands were targeted in phishing attacks, marking a 13% increase from December.

US Bank Types Attacked

U.S. nationwide banks continue to be the prime target for phishing campaigns – targeted by 70% of the total phishing volume in January. Regional banks’ attack volume remained steady at 15%, while attacks against credit unions increased by 9%.

Top Countries by Attack Volume

The U.S. was targeted by phishing most in January – with 57% of total phishing volume. The UK endured 10%, followed by India and Canada with 4% of attack volume respectively.

Top Countries by Attacked Brands

Brands in the U.S were most targeted in January; 30% of phishing attacks were targeting U.S. organizations followed by the UK that represented 11% of worldwide brands attacked by phishers. Other nations whose brands were most targeted include India, Australia, France and Brazil. 

Top Hosting Countries

In January, the U.S. remained the top hosting country, accounting for 52% of global phishing attacks, followed by Canada, Germany, the UK and Colombia which together hosted about one-fifth of phishing attacks in January.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA January 2013 Online Fraud Report Summary here.
  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.

.

RSA’s January Online Fraud Report 2013 including an excellent summary of Phishing in 2012

RSA’s January 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below.

The total number of phishing attacks launched in 2012 was 59% higher than 2011

It appears that phishing has been able to set yet another record year in attack volumes, with global losses from phishing estimated at $1.5 billion in 2012. This represents a 22% increase from 2011.

The estimated amount lost from phishing this year was affected by the industry median – the number of uptime hours per attack. The median dropped in 2012 (from 15.3 to 11.72 hours per attack, according to the Anti-Phishing Working Group), somewhat curbing the impact of losses overall. If attack medians had remained the same, estimated losses from phishing would have exceeded $2 billion.

There is no doubt phishing still continues to be a persistent threat to all organizations. The RSA Anti-Fraud Command Center is at the forefront of phishing attack shut down. To understand the magnitude of growth however, consider the following fact: at the end of 2011, RSA celebrated its 500,000th attack takedown; that number was achieved over seven years. In 2012 alone, RSA took down almost an additional 50% of that total volume!

The roster of countries most attacked by phishing throughout the year was not surprising; the same countries appeared on the shortlist of the most attacked, the UK, the U.S., Canada, Brazil and South Africa. In Latin America, Colombia and Brazil were the two most attacked countries.

There have been major increases in phishing attack volume in some countries, while slight declines were recorded for others. One of the most significant increases in 2012 phishing numbers occurred in Canada, where attacks increased nearly 400% in the first half of the year. There have been many speculations as to why the sharp increase, but the main reason is simply economics – fraudsters follow the money. With the Canadian and U.S. dollar being exchanged at nearly a 1:1 ratio, Canada has become as lucrative a target for cybercrime.

The list of top countries to have consistently hosted the most phishing attacks throughout 2012 remained nearly identical to 2011.

  1. U.S.
  2. UK
  3. Germany
  4. Brazil
  5. Canada
  6. France
  7. Russia
  8. Poland
  9. The Netherlands
  10. Japan

Phishing targets and tactics in 2012

The past year saw phishing diversify the top aims to include popular online retailers that were targeted via the usual web portals but also through the increasingly popular use of mobile apps for shopping. Other targets on phishers’ lists were airline companies, gaming platforms, mobile communication providers and webmail services.

It appears that malware writers are strong players in the world of phishing kit coding, responding to the demand in the underground and servicing phishers looking for off-the-shelf kit templates or custom written specialty kits. The top requests for phishing kit writers were, unsurprisingly, the login pages of U.S. based banks, credit card issuers and the dedicated login pages for business/corporate users of online banking/investments.

In terms of the tactics used by cybercriminals to launch their attacks, 2012 saw the use of rather simple hosting methods, mainly taking advantage of hijacked websites.

The most prominent trends noted came in the shape of using web shells and automated toolkits to hijack massive numbers of websites and smarter phishing kits containing custom plug-ins such as web-analytics tools. A proliferation of off-the-shelf codes written by black hat programmers, and the use of combined attack schemes to phish users and then redirect them to subsequent malware infection points were noted by RSA forensics analysts.

Global Phishing forecast for 2013

Phishing via Mobile The most prominent market trends relevant to the mobile channel have to do with the growth in mobile device usage in both our personal and work life and the pivotal role of mobile apps. RSA expects to see more phishing directed at mobile device users, particularly smartphones, as we move into 2013. Varying social engineering schemes will target users by voice (vishing), SMS (smishing), app-based phishing (rogue apps), as well as classic email spam that users will receive and open on their mobile devices.

Phishing via Apps Applications are the central resource for smartphone users, and that overall popularity of apps will become just as trendy with cybercriminals.

Nowadays, users download apps designed for just about any day-to-day activity, with the most prominent of those being gaming, social networking and shopping apps. To date, both Apple and Google have surpassed 25 billion app downloads each from their respective stores. In fact, according to research firm Gartner, this number will grow to over 185 billion by 2015.

In 2013 organizations will continue to aggressively tap into this growing market and respond by further moving products and services to this channel, delivering specialized small-screen adaptations for Web browsing, and developing native apps that supply mobile functionality and brand-based services to enable customers anywhere-anytime access.

Following user behavior trends (and money) in 2013, criminals will drive underground demand for threats and attack schemes designed for the mobile. Cybercriminals will focus on apps in order to deliver phishing, conceal malware, infect devices, and steal data and money from users of different mobile platforms.

Phishing via Social Media In 2008, slightly more than 20% of online users in the U.S. were members of a social network. That number has since more than doubled and stands at around 50% today.

Data collected last year from Fortune’s Global 100 revealed that more than 50% of companies said they have Twitter, Facebook, and YouTube accounts. Facebook membership, for example, has increased nearly 10 times since 2008, with over 7 billion unique visitors per month worldwide. Twitter shows that the number of members increased by a factor of five over the same period, boasting over 555 million regular users.

With the world turning into a smaller and more ‘social’ village than ever, cybercriminals are by no means staying behind. They follow the money, and so as user behavior changes, RSA expects cybercriminals to continue following their target audience (future victims) to the virtual hot-spots. According to a Microsoft research study, phishing via social networks in early 2010 was only used in 8.3% of attacks by the end of 2011 that number stood at 84.5% of the total. Phishing via social media steadily increased through 2012, jumping as much as 13.5% in one month considering Facebook alone.

Another factor affecting the success of phishing via social media is the vast popularity of social gaming; an activity that brought payments into the social platform. Users who pay for gaming will not find it suspicious when they are asked for credit card details and personal information on the social network of their choice.

Social media is definitely one way by which criminals get to their target audience, phishing them for access credentials (which are used for webmail at the very least and for more than one site in most cases), as well as stealing payment details they use online.

RSA’s Conclusion

Phishing attack numbers have been increasing annually, and although phishing is one of the oldest online scams, it seems that web users still fall for it which is why it still remains so popular with fraudsters.

With the heightened availability of kits, cybercriminals’ awareness of the latent potential in stolen credentials, and the enhanced quality of today’s attacks, the forecasted outlook for 2013 calls for yet another record year riddled with hundreds of thousands of phishing attacks worldwide.

As of January 1, 2013, the RSA Anti-Fraud Command Center has shut down more than 770,000 phishing attacks in more than 180 countries.

Phishing Attacks per Month

In December, RSA identified 29,581 attacks launched worldwide, marking a 29% decrease in attack volume from November, but a 40% increase year-over-year in comparison to December 2011.

The overall trend in attack numbers showed a steady rise in volume throughout the year, reaching an all-time high in July, with 59,406 attacks detected in a single month, 52% more than 2011’s peak of 38,970 attacks.

Number of Brands Attacked

In December, 257 brands were targeted in phishing attacks, marking a 10% decrease from November. Of the 257 targeted brands, 49% endured five attacks or less.

US Bank Types Attacked

U.S. nationwide banks continued to be the most targeted, absorbing 79% of total attack volume in December. It is not surprising that fraudsters prefer large financial institutions over smaller ones as the potential “victim rate” rises in conjunction with the size of the bank’s customer base. Moreover, information regarding security procedures at larger institutions can be more easily located in open-source searches.

Top Countries by Attack Volume

The U.S. was targeted by the majority of, or 46%, of total phishing volume in December. The UK accounted for 19% of attack volume, while India and Canada remained third and fourth with 8% and 5% of attack volume.

Top Countries by Attacked Brands

U.S. brands were the most targeted again in December, with 28% of total phishing attack volume, followed by UK brands which were targeted by 10% of attacks. Brands in Canada, Australia, India and Brazil were each targeted by 5% of phishing volume.

Top Hosting Countries

In December, the U.S. remained the top hosting country for phishers, hosting 53% of global phishing attacks. Germany and the UK were the second top hosting countries accounting for 5% of hosted attacks.

Previous 3 months of RSA Online Fraud Report Summaries:

  • The RSA December 2012 Online Fraud Report Summary here.
  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.

.

RSA’s October Online Fraud Report 2012 including summary of Phishing and Social Networking

In their October Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Following global trends in online threats, the RSA Anti-Fraud Command Centre continues to see large increases in phishing attacks. Looking back to the first half of 2012 and comparing it with the second half of 2011, RSA reported a 19% increase in global phishing attacks.

Not only is phishing still rampant, it is resulting in significant losses to global organizations.

RSA estimates that phishing cost organizations an estimated $2.1 billion in losses over the last 18 months

Phishing and the Social World

Just four years ago, slightly more than 20% of U.S. citizens were users of social networks. That number has since more than doubled and stands at around 50% today. Facebook membership alone has increased nearly 10 times since 2008 and Twitter shows that membership has increased by a factor of five over the same period.

With the world turning into a smaller and more ‘social’ village, fraudsters and blackhats are certain to join the party. Cybercrime follows the money, and as user behaviour shifts, fraudsters have been following their target audience (potential victims) to the virtual world’s hot spots. According to a research study by Microsoft, phishing via social networks in early 2010 was only used in 8.3% of all attacks by the end of 2011 that number stood at 84.5% of attacks delivered through social media.

What’s so great about phishing via social media?

Using social networks, people behave more socially and are less discriminating with messages or comments they receive on their profiles. With new user numbers soaring every year, phishers get to cast a very wide net. One phishing attack tailored for the look and feel of a single social network can effectively target a very large amount of people, resulting in less work for the fraudster to do and a better yield of potential victims.

With social media, a core component of a successful phishing attack is already built-in: Trust. Users ‘follow’ people they know or trust, they receive messages from people or services they are familiar with (emails from a site’s team for example, a group, a friend’s hijacked account, or comments containing poisoned links).

Rogue communications can sometimes be visually spotted, but most times they look good enough to have the recipient click and go to the phishing site or download a malicious piece of software. In cases where a social network makes heavy use of URL shorteners, telling a suspicious hyperlink before browsing to it is very difficult.

It only gets better (for Phishers)

Social networking sites are getting much better at knowing their users and leveraging that information for more targeted marketing and sales. One of the factors that help enhance the credibility factor in the ever-evolving social media platform is the emerging Freemium model.

Perhaps one of the most popular activities on some social networks is playing social games with other users. The games are free, but only until the user wants to really get ahead in the game or obtain special powers upgrades. This is where the payment prompt jumps in, suddenly making it okay to perform financial transactions through a platform like Facebook.

What does this mean for the user? It legitimizes using their credit card details on the social networking site.

What does this mean for Phishers? More ways to Phish, more data to steal (alongside all the other personal information already shared by users), more attacks and more successful phishing!

Another factor that has been encouraging phishing to come through social networks is enterprises going social. For example, banks that wish to market themselves using social media open user groups people can join, inadvertently providing phishers with a model to follow (not any different from online banking portals being imitated for phishing).

As with any online-borne threat, keeping a close watch on trends is essential to any organization serving customers via the Internet. This new and increasingly ‘social’ nature of delivering phishing attacks is a reflection of user behaviour, a factor that will always be the most significant driver for online crime trends.

Growing use of social networking is going to make phishing via that media more popular with time, and just further supporting the need for on-going and timely user-education and awareness campaigns to help consumers protect their online identities and accounts.

Phishing Attacks per Month

In September, RSA identified 35,440 phishing attacks launched worldwide, marking a 28% decrease from August. RSA data shows that the bulk of this decrease is a result of fewer phishing campaigns launched against a series of European financial institutions, which have accounted for significant spikes in attacks through the past few months.

Number of Brands Attacked

In September, 314 brands were targeted by phishing attacks, marking an 8% increase from August. Increases in the number of brands attacked suggests cybercriminals are casting wider nets at organizations that may not be as well protected or are less familiar with the threat.

US Bank Types Attacked

In the U.S. banking sector, nationwide bank brands witnessed a 10% increase in attacks, accounting for about three out of every four attacks in September. This is not surprising as phishers tend to seek a brand that is well-known and has multiple locations within a region, such as nationwide banks. In this case, there is a larger pool of potential victims and the chance of a spam recipient being an account holder of the targeted brand is much higher.

Top Countries by Attack Volume

Despite a 22% decline in attacks, the UK continues to be the country that endured the highest attack volume, marking the seventh consecutive month, with 47% of attack volume. In turn, Canada absorbed most of this with 17% of attack volume in September.

Top Hosting by Attacked Brands

In September, U.S. brands continued to be the most targeted by phishing, targeted by 29% of attack volume, followed by the UK and Australia.

Top Hosting Countries

In September, the U.S. continued to be the top hosting country for phishing attacks hosting 77% of attacks. Poland, the UK, Canada, and France accounted for hosting just over 10% of attacks in September.

Previous RSA Online Fraud Report Summaries:

  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s September Online Fraud Report 2012 including a summary of rogue mobile apps

In their September Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below

Threats and risks in today’s mobile app marketplace

In terms of mobile security, some mobile application (app) platforms, such as Apple’s AppStore, are known to employ strict rules to which application developers are obliged to adhere.

Other mobile app platforms, such as Android’s Google Play, are more flexible with regards to mobile apps. While providing application developers with a programming platform that is optimized for convenience and ease-of-entry into the app marketplace, it is these very qualities that have made Android the most heavily targeted mobile operating system, with Android apps by far the most widely used vehicle for spreading mobile malware.

Apps are one of the driving forces behind today’s smartphone market. Their download to mobile phones makes them an attractive new attack vector for cybercriminals along with other mobile phone attributes: the shortened URL, low security awareness among users, and the ease of copying a mobile webpage’s layout for malicious purposes.

This risk extends to the corporate setting with companies increasingly adopting Bring- Your-Own-Device (BYOD) policies, in which employees’ devices double as platforms for both personal and work-related communications. Apps that intercept a mobile user’s email and phone communications for example, may gain access to corporate communications, as well.

Types of Rogue App Payloads

According to a research study on Android malware conducted by the Department of Computer Science at North Carolina State University, 86% of Android mobile-malware payloads are repackaged with legitimate apps and are not standalone, making their detection more difficult. The same study found that many others piggyback on genuine app updates to remain undetected.

The payloads these apps install after being downloaded to a device vary widely, and can include:

  • SMS Sniffers. Apps that covertly collect SMS text messages, including passwords sent to users’ handsets, and forward this information to a remote drop point. Some of these include other stealth features to avoid raising the user’s suspicion, for example, functionality that turns off the alarm sound when new text messages are received and hides all incoming messages
  • Premium dialers. Apps that install themselves on the user’s handset and start dialing phone numbers or sending dummy text messages to premium-rate service numbers. This type of operation requires the setup of a bogus merchant, along with a fraudulent merchant ID through which cybercriminals can collect funds unwittingly siphoned out of user’s accounts. Handset owners would only become aware of the scam when seeing their bill the following month
  • SEO enhancers. Apps that repeatedly access a certain website, or websites, to increase their rankings in search engine’s results
  • Ransomware. Apps that lock a user’s handset and demand payment from users in return for relinquishing control of the mobile device
  • Spyware. Apps that send the attacker or spy (via a remote drop point) information garnered from a victim’s device including GPS data, intercepted calls and text messages, and phone contacts
  • Botnet clients / Bridgeheads. Apps that communicate with a cybercriminal via a command & control (C&C) server. These may be used as infrastructure for further malware downloads, much like ready-made PC botnets whose infected systems await to download banker Trojans or other malware pushed from the C&C server. These payloads act as a bridgehead by giving the perpetrator an initial foothold on the compromised device. The payload opens a port on the device, and listens for new commands issued from the fraudster’s C&C point. Later on, an encrypted payload may be downloaded to the user’s device

Android apps and their exploitation

At the end of H2 2012, Google announced that the number of devices running Android has reached 400 million, representing 59% of the world’s smartphone market. And to date, Android’s open source code platform has led to the publication of over 600,000 mobile apps. Android’s source code is based on the Java programming language, and its ease of use and low publisher entry fee has made it the most widely targeted mobile platform by malware developers, and the most widely attacked by today’s Trojans. The increased risk for Android app users has already led several anti-virus companies to release AV software for Android-run devices.

A Secure Venue for Apps

The official venue for Android applications is called “Google Play” (formerly known as “Android Market”). By default, each handset running Android is configured to exclusively allow the installation of apps downloaded from Google Play, and to block installation of apps downloaded from any other venue. This is to ensure a minimal level of security.

Downloading apps from Google Play provides an extra security benefit to Android users, as the store provides a “Remote Application Removal” feature, which allows apps that are retrospectively identified by Google as being malicious to be removed from relevant users’ handsets.

Another important security feature added to Google Play is “Google Bouncer,” which scans new apps, acting as a gatekeeper to keep out those identified as malicious.

Despite Android’s default Google-Play-only settings, Android users can still choose to install apps from venues other than Google Play by manually changing their devices’ security settings. Aware of the security issues this may raise, Android users are presented with a warning message when selecting this option.

Android App Permissions

As a second security measure, prior to the installation of an Android app on most Android-based OSs, the app requests certain system permissions, all which have to be approved before the app can be installed on the device. Whereas legitimate apps normally request only one or two permissions, rogue apps are known to request a long list of permissions before installing themselves.

Currently, this is the main security obstacle for rogue Android apps, which some Trojan coders have managed to bypass through socially engineered schemes. For example, RSA has previously detected a mobile-malware app (SMS sniffer), which presented itself as security software. The app requested nine different permissions, including permission to boot the handset, change system settings, and send text messages. Unsurprisingly, the app was offered from a standalone domain not affiliated with any app store.

RSA’s Conclusion

Today, the payload app may remain on a device even after the host app (with which it was downloaded) has been removed. This makes initial detection and removal of the app from the app store that proffers it even more crucial.

As with PC-based malware, educating consumers to raise awareness of today’s mobile threats and urging them to take precautions against rogue apps, will be of paramount importance to mitigating mobile threats in years to come.

Phishing Attacks per Month

In August, 49,488 unique phishing attacks were identified by RSA, marking a 17% decrease from July. The bulk of this decrease is a result of fewer phishing campaigns launched against European financial institutions which have accounted for significant spikes in recent months.

Number of Brands Attacked

In August, 290 brands were subject to phishing attacks, marking a 20% increase from July. This considerable increase shows that cybercriminals are expanding their phishing targets wider, to new organizations and new industries not targeted in recent months. More than half of the brands affected by phishing in August were targeted by more than five phishing attacks.

US Bank Types Attacked

In the U.S. financial sector, nationwide banks experienced a 7% decrease in phishing attacks. However, brands in this segment continue to be most targeted by phishing attacks, hit by two out of every three attacks in August.

Top Countries by Attack Volume

In August, the UK continued to get hit by the majority of worldwide phishing attack volume for the sixth consecutive month, accounting for about 70% of all global phishing volume. The U.S. and Canada continued to remain second and third on the list.

Top Countries by Attacked Brands

In August, the U.S., UK and Australia were the top three countries whose brands were most affected by phishing, targeted by 45% of global phishing attacks during the month.

Top Hosting Countries

The U.S. hosted the vast majority of phishing attacks in August with 80%, followed by Canada, the UK and Germany.

Previous RSA Online Fraud Report Summaries:

  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

RSA’s August Online Fraud Report 2012 including a summary of Fraud as a Service (FaaS)

In their August Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below.

A five-year retrospect on Fraud as a Service (FaaS) reveals that the types of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.

Underground criminals buy and sell goods and services around the clock. The fact that these markets operate online eliminates borders and physical distance, allowing people from different parts of the world to wheel-and-deal and to partner-up in the orchestration of fraud cash-out cycles without ever meeting or speaking on the phone.

What do they sell?

For phishing – scam pages, complex phishing kits and custom kit plugins, spamming services, email databases, junk traffic, SEO poisoning, email cracking tools, spam software, and SMS spoofers, to name a few. After the attacker gathers the spoils, fraudsters can opt to buy the already-harvested databases of phishing attacks or purchase unitary ‘logins’ in an online shop selling compromised data.

For botmasters –  Trojan-related facilitators exploit kits, malware spam, botnets, Trojan kits, HTML injections, customized malicious code, encryption services, bulletproof hosting, pay-per-installs/affiliate infection schemes, plugins, set-up and tech support.

Hardly ever does one fraudster take on the complete fraud cycle; rather, fraudsters opt to partner with more experienced criminals or offer up their own expertise (such as performing in-store pick up of goods obtained with stolen credit card data). Much like real-world crime, each actor ‘gets his hands dirty’ to different extents. Bottom line – the fraudulent transaction is turned into cash in different ways and the profits are shared among those involved.

Those who don’t have any trustworthy connections in the world of fraud find and use transfer and cash-out services. Money mule, cash-out services and Item-drop mules have become ever so popular, that some vendors have already automated them for those who attempt the bulk of transactions each day bot herders and ‘carders’.

Almost all busy criminals today connect with a mule repository operator and have their fraudulent transactions go through the vendor’s mules, receiving a cut of each successful transaction as per a mutual agreement. Some cases of mule-repositories are part of the fraud cycle of one gang.

Recent underground fraud services:-

Hire a “Man-in-the-Middle”

One of the more interesting recent FaaS offers was found in an underground forum, posted by a Russian-speaking member offering his infrastructure for very temporary hire, alongside his own services as a man-in-the-middle facilitator. The botmaster had a few perks for customers who wish to attempt Trojan attacks without having to set up anything whatsoever:

  • Rent the infrastructure – gain access to infected bots
  • Pay to target and harvest – send over a trigger and a Trojan injection and those will be pushed to existing infected bots on the botnet (through a Trojan configuration file update)
  • Pay to attack – the botmaster will facilitate fraudulent transaction attempts using his Trojan’s remote administration access to bots

Buy a Botnet

The vendor behind this offer was also working in collaboration with other cybercriminals, each offering a related service a bot herder would need for the set up and operation of a botnet.

Automated Customer Support

In the recent past, Trojan developers only offered support via live chat using instant messaging services (Jabber, ICQ). A developer could only support a limited number of chats until the burden of supporting his customers became too great and support deteriorated or stopped altogether.

Trojan developers did understand the substantial need for customer/technical support and took pains to find new ways to preserve their customer base. To get an idea about just how ‘real’ customer support has become, take a quick look at this SpyEye vendor’s page. Notice the headers on the page; much like legitimate software companies – they direct users to an FAQ page, an “About SpyEye” section, and provide a detailed web form that can be sent directly to the vendor’s alleged support team, automating the process.

Many of today’s fraud service vendors put strong emphasis on supporting their buyers, offering guarantees and assistance, from the exchange of faulty or invalid cards and access credentials, all the way to providing set-up, tutorials, and tech support to those who have to operate on going online fraud operations (botnets, CC shops, exploits etc.).

One cannot mention excellent cybercrime customer support today without “Citadel” coming to mind. The team developing the Citadel Trojan has long established itself as the new go-to crimeware vendor, well on their way to inheriting the Zeus Trojan market share they built upon. The most unique feature this team offers to botmasters using Citadel is a clever CRM model that supports, tickets, listens and advises members on how to set up and operate their Trojans. The CRM is not optional! All botmasters must join it and pay a fixed monthly fee for their membership.

RSA’s conclusion

A better cybercrime marketplace, much like organized crime in the physical world, increasingly affects the world’s economy by the sheer amounts of money it taxes it every year. The worst part about this dark economy is its faceless, covert nature and thus the hardship in quantifying and understanding the extent of its damage.

Stronger crime economies are a burden on the legitimate economy in hard costs but do not stop there. This large scale clandestine operation also affects crime statistics and touches real-life aspects of law enforcement and the legal system. Due to cybercrime’s global, scattered nature, fighting it often requires internationally coordinated investigations and arrests, further taxing the resources of each nation touched by digital crimes.

Phishing Attacks per Month

Phishing attacks in July increased 14% from June, marking yet another high of 59,406 attacks in a single month. In examining an overall spike in attacks, the bulk of last month’s increase can be attributed to highly targeted phishing campaigns launched against a series of financial institutions in Europe.

Number of Brands Attacked

In July, a total of 242 brands were targeted with phishing attacks, marking a 7% drop from June. As compared to July 2011, last month’s list of phishing targets demonstrates a 25% year-over-year drop in the number of targeted brands.

US Bank Types Attacked

There was very little change in how the U.S. banking sector was targeted by phishing in July. Nationwide banks still continue to be targeted by about three out of every four phishing attacks. This reflects the tendency of cybercriminals to attack larger financial institutions.

Top Countries by Attack Volume

For the fifth consecutive month, the UK was targeted by the highest volume of phishing attacks, followed by the U.S. and Canada. The UK endured 70% of worldwide attacks, its highest portion ever.

Top Countries by Attacked Brands

Although the UK was targeted by 70% of phishing volume in July, the U.S. continues to be the country with the greatest number of targeted brands. Brands in the U.K., Brazil, India, and Australia collectively were targeted by 27% of attacks in July.

Top Hosting Countries

The U.S. hosted 79% of worldwide phishing attacks last month, its highest portion to date according to the RSA Anti-Fraud Command Center. Canada, the UK and Germany accounted for hosting an additional 10% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: