Brian Pennington

A blog about Cyber Security & Compliance


RSA The Security Division of EMC

RSA’s November Online Fraud Report 2012 including advice on avoiding fraud

RSA’s November Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below.

In 2011, RSA’s e-commerce authentication technology was used by many of the top card issuers around the globe to protect nearly a half a billion e-commerce transactions and their statistics for 2011 (2012 will be posted when available) are;

  • Over the course of 2011, 7% of all e-commerce transactions were identified as fraudulent, an increase of 2% in 2010
  • During the 2011 holiday shopping season (November 1 – December 31), U.S. consumers spent over $1.4 billion online, an increase of 18% from 2010
  • Identified fraudulent transactions during this same time totaled more than $82 million, an increase of 219% from 2010. Cyber Monday accounted for $2.5 million
  • Top online retailers based on e-commerce transaction volume and amounts in 2011 included three major airlines
  • The top five cities where e-commerce fraud originated over the holiday season include New York, Los Angeles, Chicago, Washington DC and Houston

Fraud is always lurking around every corner, but is especially prolific at this time of year with so many people shopping online. Consumers can follow some very simple tips to stay safe online:

  • Tune up defenses for ALL devices. Just like you would tune up your car before driving to visit relatives during the holidays, you should ensure that any device you plan to shop with (computers, tablets, smartphones and even gaming systems) gets a tune up with the latest browsers and security patches.
  • Shop with retailers that take security seriously. Before entering any personal or payment information, you should look for the closed padlock on your web browser’s address bar and ensure the web address starts with “https” – the “s” standing for secure. Also, look for protection beyond just passwords. For example, many merchants now support the Verified by Visa / MasterCard SecureCode standards which will provide you with additional security. Finally, always make sure there is a phone number or physical address for the merchant in case there is an issue with your purchase.
  • Avoid advertisements, coupons or deals that seem too good to be true. Fraudsters use many scams to try to direct you to a malicious website to download a Trojan onto your computer.
  • Be on the lookout for phishing emails. Fraudsters will be launching countless phishing attacks this time of year trying to secure your payment account information so be on high alert. When the emails start coming in with subject lines screaming “Account Alert” or “Reactivate your account” and making claims such as “invalid login attempts into your account online from an unknown IP address have been identified,” ensure you delete it right away.

Phishing Attacks per Month

In October, RSA identified 33,768 unique phishing attacks launched worldwide, a 5% decrease from September. While attack volume has been decreasing over the last three months, total phishing attack numbers for the second half of 2012 already represent a 9% increase over first half numbers with November and December still to go.

Number of Brands Attacked

In October, 269 brands were subject to phishing attacks, marking a 14% decrease from September. A decrease in the number of targeted brands is likely the result of an increased focus of attacks on several familiar brands.

US Bank Types Attacked

Nationwide banks in the U.S. experienced a slight decline in attacks, down 3%, while U.S. credit unions saw a 5% increase in phishing attacks in October.

Top Countries by Attack Volume

In October, the U.K continued to be the country targeted by the most volume of phishing, with a total of 34%, despite a 14% drop from September’s number. Canada and the U.S. together were targeted by 51% of phishing volume in October. South Africa made a surprising appearance in October, targeted by 4% of phishing volume throughout the month.

Top Countries by Attacked Brands

In October, U.S. brands were targeted the most by phishing,– representing 34% of targeted brands, followed by brands in the UK (12%), and Australia and Canada (both 6% respectively)

Top Hosting Countries

The U.S. continued to host the majority of phishing attacks in October – with three out of every four attacks during the month being hosted in the U.S. Other top hosting countries in October included the UK, Germany, and Canada.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


RSA’s August Online Fraud Report

Image by jan.gosmann via Flickr

Below is a summary of RSA Security’s August 2011 Fraud Report

Your package has arrived,” screamed the email header which landed in the email inbox of countless business professionals around the world. Open it up, and you will find information about a fictitious UPS or FedEx shipment scheduled to arrive.

Simply click on the link or the attachment to track the details and you will get served up with the latest version of the SpyEye Trojan on your computer – and most likely without even knowing it.

This is just one of many spear phishing email attacks targeted at organizations and their employees on a daily basis. In fact, phishing emails are landing in corporate in boxes around the world. In a recent study, 45% of employees stated they had received a phishing email at work. Most often, these attacks are launched by financially motivated criminals that target finance or accounting departments in an attempt to get access to business banking accounts via a Trojan. Yet, most of these malware strains are capable of doing a lot more. For example, one plug-in being developed in the underground today features an Outlook grabber that will allow criminals to steal emails directly from the infected user’s inbox.


Identification and analysis of a Trojan is the first critical step in the attack shutdown process. Once a malware strain has been analyzed and deemed malicious, the appropriate steps should be taken to initiate blocking or shutdown of identified infection, drop and update points. The malware associated with this particular attack was confirmed to be the SpyEye Trojan and contained advanced man-in-the-browser functionality. The Trojan contained a list of trigger URLs targeting over 200 organizations as well as automated cashout capabilities to mule accounts.

By blocking access to Trojan resources, the risk to organizations is greatly reduced. Blocked infection points reduce the chances of additional victims getting infected. Blocked update points decrease the chances of infected victims being redirected to new, updated locations. Blocked drop points effectively prevent any victims who might already be infected from transmitting information to a criminal.

Shutdown of Trojan communication resources is more complicated, however. Issues such as foreign working hours, foreign holidays and language barriers must be taken into consideration. In addition, malware is much less “visible” than phishing and more complicated due to the thousands of variants that exist. Before shutdown can begin, there are several factors to consider, such as the ability to recover credentials and evolution of the malware itself.

Credential recovery and forensics is especially key in attempting to extract additional valuable information such as lists of compromised personal information, as well as counts of submitted information, the IP address of victims, the malware binaries and more. Recovery and forensics is also important for working with the law enforcement community. Due to a lack of resources, some law enforcement agencies may not handle a case without proof that it is big enough to potentially harm a large number of victims. In this particular attack, shutdown was performed for the infection, update and drop points.

To date, RSA has shut down over 450,000 phishing attacks and 80,000 Trojan attacks on behalf of customers worldwide.

Phishing Attacks per Month

Phishing attacks identified by RSA hit a new record high of 25,191 in July. The AFCC has witnessed an overall increase in phishing attacks over the past few months. This increase that can be partially attributed to repeated attacks on a group of large financial institutions, which have been heavily targeted recently. Hijacked websites remain the most commonly used method of hosting phishing attacks.

Number of Brands Attacked

Last month, the number of brands attacked decreased by eight percent, dropping from 349 in June to 321 in July. In addition, 13 brands encountered their first phishing attack last month.

U.S. Bank Types Attacked

The portion of nationwide U.S. banks targeted by phishing dropped by two percent in July, yet this sector still remains as the most highly targeted by cybercriminals. Nationwide banks are likely considered more lucrative by phishers as their customer base is widely dispersed. Since most phishing attacks are distributed via massive spam mailing lists that are not region-specific, the probability of a spam recipient being a consumer of a nationwide brand is likely to be higher.

Top Hosting Countries

The U.S. hosted 53 percent of worldwide attacks in July while Canada and Germany each hosted five percent and the UK hosted four percent.

Top Countries by Attack Volume

The U.S. and the UK remain the countries targeted by the largest volume of attacks – accounting for over 75 percent of attacks in July. Interestingly, Brazil was one of the top three countries targeted by phishing in July – experiencing 5 percent of the attack volume last month.

Top Countries by Attack Brands

The top 10 countries by attacked brands stayed the same in July. Brands in the U.S. and UK are still most preferred by cybercriminals, accounting for over 40 percent of targeted brands last month followed by Italy, Australia, Brazil, Canada, and India.

The full report can be found here.

RSA’s June Online Fraud Report

Below is a summary of RSA Security’s June 2011 Fraud Report.

RSA recently analyzed one local pharming Trojan which they found to be a highly sophisticated piece of malware that goes as far as installing a driver to achieve its intended goal of stealing information. This is the first local pharming Trojan observed by RSA to even have a driver.

In fact, the Trojan has been widely reported to be the first rootkit ever designed to specifically infect 64-bit operating systems. However, the Trojan does not in fact install a rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide their very existence from the user, this driver cannot be classified as such. Any victim infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit. Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently-loaded driver list.

This particular Trojan was targeted at online banking consumers in Brazilas it changes the hosts file settings for a handful of Brazilian Banks.

Phishing Attacks per Month

May 2011 marked a surprising 33 percent increase in the number of global phishing attacks identified by RSA – and a record for the most unique attacks identified in a single month. About four out of five phishing attacks in May were launched using hijacked websites.

Number of Brands Attacked

The increase in phishing attacks numbers was not the only substantial change observed in May. RSA witnessed a 25 percent increase in the number of attacked brands suggesting criminals went after a wider variety of brands rather than consistently attacking the same brands. When compared year-over-year (May 2010), there was a 69 percent increase in the number of attacked brands.

Segmentation of Financial Institutions Attacked Within the U.S.

Nationwide banks in theU.S.accountedfor 3 out of 4 phishing attacks in May. The portion of phishing attacks targeting U.S. credit unions dropped three percent as did the portion of attacks against regional U.S. banks, decreasing from 22 percent in April to just 12 percent in May.

Top Ten Hosting Countries

Since January 2010, theU.S.has been the top hosting country for phishing attacks, hosting 66 percent of all phishing attacks in May. In the last year, the countries that have consistently hosted the highest portion of phishing attacks have beentheU.S.,UK,Canada,Germany,France,Russia, and South Korea.

Top Ten Countries by Attack Volume

The US,UK,South Africa and India remained the top four countries targeted with the most volume of phishing attacks in May.Malaysia, which appeared on the chart in April, was replaced by Colombiain May. In the last year, theU.S.,UK,South Africa,Canada, the Netherlands, and Italy are the top countries that have consistently endured the highest volume of Phishing attacks.

Top Ten Countries by Attacked Brands

The main change in May was Ireland being replaced by Brazilin terms of the Top Ten countries whose brands were most targeted by phishing. Brands in theU.S.,UK,India,and Australia continue to endure the majority of targeted phishing attacks.

The full report can be found here.


EMC Has a Good Idea of Who Was Behind RSA Breach

Image representing EMC as depicted in CrunchBase
Image via CrunchBase

On the 30th June Reuters Published a very interesting interview with Jeremy Burton the Chief Marketing Officer of RSA/EMC. The interview as published by Reuters is below.

Reuters 30/6/11 Data storage firm EMC has a good idea of who was behind an attack on its RSA security division that may have compromised SecurID keys used by 40 million employees of governments and corporations worldwide.

But Chief Marketing Officer Jeremy Burton said on Thursday the identity of the hacker or hackers was less important than what measures companies could take to defend against such attacks, and declined to name the suspected party.

“We’ve got an idea although we can’t pin it on Joe Brown from such and such. We’ve got a very good idea because of the nature of the attack but actually that’s not even that important,” he told Reuters in an interview in London.

RSA disclosed in March that hackers had stolen information that could be used to reduce the effectiveness of SecurID tokens in keeping intruders from accessing corporate networks.

It has said it believes the attackers were more interested in intellectual property than in financial gain.

SecurIDs are widely used electronic keys to computer systems designed to thwart hackers by requiring two passcodes: one fixed PIN and another six-digit number that is automatically generated, typically every 60 seconds, by the security system.

Burton reiterated that EMC was working hard to rebuild the trust of its customers in the RSA brand. “Basically, since March, we’ve been doing nothing but doing one on one sessions.”

“Where we’re at right now with our customer base is making sure that the guys who have asked for token replacement get one in a timely fashion and we’ve ramped up the manufacturing to be able to cope with that,” he said.

RSA’s reputation took a second hit after the initial disclosure of the breach in March last when hackers used technology stolen from RSA to attack defence contractor Lockheed Martin last month.

EMC has since offered to replace millions of potentially compromised SecurID electronic keys.

Burton said the company intended to ramp production of RSA tokens into the millions per month from a baseline rate of a few hundred thousand. He could not predict for how many months the increased production might continue.

EMC said last quarter its RSA margins had fallen to 54.1 percent from 67.6 percent a year earlier for costs associated with the security breach.

“If there are more costs and we need to take another charge in the name of customer satisfaction, we will,”Burton said.

EMC’s chief financial offer said in April that growth in the RSA business would slow in the short term.

RSA is small in terms of EMC’s revenue, last year accounting for $730 million (454 million pounds), or 4 percent, of its $17 billion in sales.

 Yet it is a high-profile asset whose technology EMC has used to secure the company’s other products, including its software and data storage equipment.

Companies that sell alternatives to RSA’s SecurIDs, such as Symantec and Vasco Data Security International, have leapt on the opportunity to win customers.

 Burton said he was not aware of any other customers beyond Lockheed Martin who had suffered cyber attacks as a result of the RSA security breach.

Reprint of Reuters Page which can be found here.


eCrime Trends Report Q1 2011 – Phishing Up – Rustock Down

Internet Identity (IID) has released their eCrime Trends Report: First Quarter 2011.

The report is a summary of statistics and news items from this year’s first quarter and serves as a useful reminder of how regularly breaches occur and how easy it is to forget about the last big breach.

Every month seems to have another record for the largest breach, Epsilon was usurped by Sony, who will be next? This is why quarterly reviews are so important.

The highlights of the IID report are below:

IT security firms in the cybercrime crosshairs

  • Breach of HBGary Federal reveals vulnerability of the extended enterprise
  • Internal emails exposed information about partners and clients
  • RSA Security breach

Notorious Rustock botnet goes offline

  • Microsoft and law enforcement cooperate in unprecedented action to shut down and confiscate criminal servers
  • Significant reduction in spam noted worldwide

Phishing attacks

  • National banks saw increase of 11% over Q4 2010
  • Banks outside the U.S. increased most dramatically
  • Recent database breaches could lead to increased spear phishing in the coming quarter
  • Compared to Q4 2010, Phish targeting larger, national banks increased 11%. Much of the growth was seen in non-US based banks, which took three of the top five spots among banks
  • Phishing in Q1 2011 grew 12% over Q1 2010.

Parts of the Internet went dark in Q1 for a variety of reasons

  • Egyptian ISPs ordered to shut down following Internet-led protests
  • seizure by DHS temporarily suspended 80,000 subdomains
  • Rabobank blackholed its own DNS records in an attempt to combat DDoS attack

“As we’ve seen with recent attacks against Sony’s PlayStation Network and Epsilon, cyber criminals now have inside information about tens of millions of customers to use in highly targeted phishing campaigns,” said IID President and CTO Rod Rasmussen.

“The worry is that with all of this specific data, cyber criminals have all they need to convince people to share their highly valuable personal information. Organizations must ensure they are taking every measure to stop these attacks, including blocking access to phishing sites and command and control domains for malware that exfiltrates data. This should be done with e-mail filtering, firewalls and secure domain name system resolvers.” 

Read the full report here.


Create a free website or blog at

Up ↑

%d bloggers like this: