Brian Pennington

A blog about Cyber Security & Compliance



RSA’s June Online Fraud Report

Below is a summary of RSA Security’s June 2011 Fraud Report.

RSA recently analyzed one local pharming Trojan which they found to be a highly sophisticated piece of malware that goes as far as installing a driver to achieve its intended goal of stealing information. This is the first local pharming Trojan observed by RSA to even have a driver.

In fact, the Trojan has been widely reported to be the first rootkit ever designed to specifically infect 64-bit operating systems. However, the Trojan does not in fact install a rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide their very existence from the user, this driver cannot be classified as such. Any victim infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit. Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently-loaded driver list.

This particular Trojan was targeted at online banking consumers in Brazilas it changes the hosts file settings for a handful of Brazilian Banks.

Phishing Attacks per Month

May 2011 marked a surprising 33 percent increase in the number of global phishing attacks identified by RSA – and a record for the most unique attacks identified in a single month. About four out of five phishing attacks in May were launched using hijacked websites.

Number of Brands Attacked

The increase in phishing attacks numbers was not the only substantial change observed in May. RSA witnessed a 25 percent increase in the number of attacked brands suggesting criminals went after a wider variety of brands rather than consistently attacking the same brands. When compared year-over-year (May 2010), there was a 69 percent increase in the number of attacked brands.

Segmentation of Financial Institutions Attacked Within the U.S.

Nationwide banks in theU.S.accountedfor 3 out of 4 phishing attacks in May. The portion of phishing attacks targeting U.S. credit unions dropped three percent as did the portion of attacks against regional U.S. banks, decreasing from 22 percent in April to just 12 percent in May.

Top Ten Hosting Countries

Since January 2010, theU.S.has been the top hosting country for phishing attacks, hosting 66 percent of all phishing attacks in May. In the last year, the countries that have consistently hosted the highest portion of phishing attacks have beentheU.S.,UK,Canada,Germany,France,Russia, and South Korea.

Top Ten Countries by Attack Volume

The US,UK,South Africa and India remained the top four countries targeted with the most volume of phishing attacks in May.Malaysia, which appeared on the chart in April, was replaced by Colombiain May. In the last year, theU.S.,UK,South Africa,Canada, the Netherlands, and Italy are the top countries that have consistently endured the highest volume of Phishing attacks.

Top Ten Countries by Attacked Brands

The main change in May was Ireland being replaced by Brazilin terms of the Top Ten countries whose brands were most targeted by phishing. Brands in theU.S.,UK,India,and Australia continue to endure the majority of targeted phishing attacks.

The full report can be found here.


EMC Has a Good Idea of Who Was Behind RSA Breach

Image representing EMC as depicted in CrunchBase
Image via CrunchBase

On the 30th June Reuters Published a very interesting interview with Jeremy Burton the Chief Marketing Officer of RSA/EMC. The interview as published by Reuters is below.

Reuters 30/6/11 Data storage firm EMC has a good idea of who was behind an attack on its RSA security division that may have compromised SecurID keys used by 40 million employees of governments and corporations worldwide.

But Chief Marketing Officer Jeremy Burton said on Thursday the identity of the hacker or hackers was less important than what measures companies could take to defend against such attacks, and declined to name the suspected party.

“We’ve got an idea although we can’t pin it on Joe Brown from such and such. We’ve got a very good idea because of the nature of the attack but actually that’s not even that important,” he told Reuters in an interview in London.

RSA disclosed in March that hackers had stolen information that could be used to reduce the effectiveness of SecurID tokens in keeping intruders from accessing corporate networks.

It has said it believes the attackers were more interested in intellectual property than in financial gain.

SecurIDs are widely used electronic keys to computer systems designed to thwart hackers by requiring two passcodes: one fixed PIN and another six-digit number that is automatically generated, typically every 60 seconds, by the security system.

Burton reiterated that EMC was working hard to rebuild the trust of its customers in the RSA brand. “Basically, since March, we’ve been doing nothing but doing one on one sessions.”

“Where we’re at right now with our customer base is making sure that the guys who have asked for token replacement get one in a timely fashion and we’ve ramped up the manufacturing to be able to cope with that,” he said.

RSA’s reputation took a second hit after the initial disclosure of the breach in March last when hackers used technology stolen from RSA to attack defence contractor Lockheed Martin last month.

EMC has since offered to replace millions of potentially compromised SecurID electronic keys.

Burton said the company intended to ramp production of RSA tokens into the millions per month from a baseline rate of a few hundred thousand. He could not predict for how many months the increased production might continue.

EMC said last quarter its RSA margins had fallen to 54.1 percent from 67.6 percent a year earlier for costs associated with the security breach.

“If there are more costs and we need to take another charge in the name of customer satisfaction, we will,”Burton said.

EMC’s chief financial offer said in April that growth in the RSA business would slow in the short term.

RSA is small in terms of EMC’s revenue, last year accounting for $730 million (454 million pounds), or 4 percent, of its $17 billion in sales.

 Yet it is a high-profile asset whose technology EMC has used to secure the company’s other products, including its software and data storage equipment.

Companies that sell alternatives to RSA’s SecurIDs, such as Symantec and Vasco Data Security International, have leapt on the opportunity to win customers.

 Burton said he was not aware of any other customers beyond Lockheed Martin who had suffered cyber attacks as a result of the RSA security breach.

Reprint of Reuters Page which can be found here.


Create a free website or blog at

Up ↑

%d bloggers like this: