Brian Pennington

A blog about Cyber Security & Compliance


Zeus Trojan

RSA’s July 2013 Online Fraud Report featuring the Carberp Trojan Code

RSA’s July 2013 Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of the report is below

Be it internal disagreements within the Carberp team, or law enforcement pressure following the arrests in 2012, the Carberp cyber gang members have disbanded, leaving their Trojan code publicly available following a failed attempt to sell it. Reminiscent of the ZeuS Trojan’s source code leak, we can expect a few things to happen following the incident. But before doing so, let’s review the events that followed the ZeuS leak in 2011.

An attempt to sell the ZeuS source code in an underground forum for, according to some estimates, as high as $100,000 started in early 2011. Following the failed sale, Slavik, the developer of ZeuS, handed over the code to a cyber rival, Gribodemon, the notorious SpyEye developer. The underground, abuzz with the news, keenly awaited the release of a merged, mighty SpyEye-ZeuS variant. Before one could be released, the ZeuS code was leaked and made publicly available.

As predicted by many, different offspring began appearing, built on top of the ZeuS v2.0.8.9 codebase, and included Ice IX and Odin (both appearing in 2011), and most considerably, Citadel making its appearance in early 2012.

As opposed to Ice IX, that mainly fixed bugs in the ZeuS code, Citadel was a major leap forward in terms of the malware’s functionality. Citadel not only repaired bugs in ZeuS, but deployed clever security measures to protect the malware and its infrastructure, as well as provided numerous new plug-ins to boost the Trojan’s functionality. In terms of a Fraud-as-a-Service (FaaS) business offering, Citadel became a lucrative commercial operation, offering its “customers” a CRM, paid tech support and constant version updates. In fact, Citadel was so successful that botmasters started replacing/upgrading existing bots with the malware.

Starting in mid-2012, RSA researchers began noticing the slow demise of commercial Trojan offerings. In April, the Ice IX business shut down with the disappearance of its developer; SpyEye then made its exit in May; and in a surprising turn of events, Citadel’s spokesperson – “Aquabox”, was banned from the only forum he was selling on (following a quarrel over customer support).

So, if history repeats itself, what are we to expect? With the above in mind, the following may transpire:

We’ll see a proliferation of Carberp-based attacks. While this is likely less probable, the leak could spawn an entire business of low-level developers recompiling Carberp and offering it for sale “as is,” with no further feature developments or bug fixes. To demonstrate, the ZeuS code that once sold for $3,000 to $5,000 is now readily available for as low as $11 in the underground. In terms of Trojan operation and feature set, Carberp is far more complex than ZeuS and less organized for the untrained cybercriminal, making it less appealing for would-be botmasters (or script kiddies). Not to mention the major weaknesses reported in the Carberp server-side, that make it “easier to hack than SpyEye” according to one security researcher. With the abundance of ZeuS and ZeuS-based malware – according to RSA’s Anti-Fraud Command Center (AFCC), this malware’s share is over 83% of all Trojan attacks and at very cheap prices, it would be surprising to see Carberp make a big impact in this strong market segment.

The Carberp code spawns a commercial offspring and/or offerings. This scenario is more likely. As mentioned previously, Carberp is an extremely sophisticated piece of malware, boasting bootkit functionality. As a result, it is more likely that the code will be picked up by a cybercrime gang looking to develop the next big thing in malware. With the trend towards privatizing malware development operations, the underground is currently lacking a (true) commercial Trojan; this vacuum may provide the right time and place for such an offering. Development may continue in closed, private groups, which develop the software for their own criminal purposes.

RSA conclusion
There’s never a dull moment in cybercrime and the Carberp code leak only adds fuel to that fire. The complexity of Carberp makes it less appealing as an “as-is” offering, but organized professional cybercrime teams may see the opportunity to be the first to finally offer a new, commercial Trojan based on the Carberp code, in the now very privatized underground.

RSA FraudAction Research Labs continues to investigate and analyze the code and will publish its findings as those are made

Phishing Attacks per Month

RSA identified 35,831 phishing attacks launched worldwide in June, marking a 3% drop in attack volume from May, and a 31% decline year-over-year in comparison to June 2012

US Bank Types Attacked

Nationwide banks remained the most targeted by phishing in June, with 76% of phishing volume directed at them. Regional banks saw a 6% decrease in volume while credit unions witnessed a 3% increase.

Top Countries by Attack Volume

The U.S. remained the country enduring the highest volume (55%) of phishing attacks in June – a 5% increase from May. The UK was the second most targeted at 10% of volume, followed by Canada, South Africa, India, and the Netherlands.

Top Countries by Attacked Brands

U.S. brands remained the most targeted by phishing at 25% of volume, followed by the UK and India. Other countries’ brands that were targeted heavily by phishing in June include Australia, Italy, China, Canada and France.

Top Hosting Countries

The U.S. remained the top hosting country in June, having hosted 45% of global phishing attacks, followed by Canada that hosted 9% of attacks. Chile and Turkey were both introduced as top hosts for phishing, each hosting 3% of phishing attacks for the month.

Previous 3 months of RSA Online Fraud Report Summaries

The RSA June 2013 Online Fraud Report Summary

The RSA April 2013 Online Fraud Report Summary

The RSA March 2013 Online Fraud Report Summary

RSA’s December Online Fraud Report 2012 including an excellent piece on Ransomware

RSA’s December Online Fraud Report delivers the results from RSA’s fraud monitoring centre, a summary of their report is below. 

Ransomware is a type of Trojan/malware that can lock files on an infected machine and restrict access to the computer unless the user pays a “ransom” for the restrictions to be removed

Infection campaigns and methods used by Ransomware are identical to those used for any other malware/Trojan infection. For example, recent Ransomware campaigns infected users via the Blackhole exploit kit; another campaign relied on drive-by-downloads via malicious tags in news sites and forums. 

Ransomware campaigns can take on a variety of forms. One of the most common scams is using fake anti-virus programs, making a user believe their computer is infected with unwanted software that can only be removed by purchasing the attacker’s special anti-virus program. However, Ransomware campaigns can take on a number of forms including bogus messages from law enforcement or even a recent example in Australia where a medical clinic’s patient records were targeted unless the clinic paid the attackers $4,200. 

Although victims are promised their files will be unlocked once they pay the “fine”, in most cases the botmaster cannot control the infected bot and the files/computer will remain locked (depending on the malware’s function). 

In order for criminals to remain untraceable, Ransomware payments must be kept anonymous and these Trojans’ operators prefer prepaid payment cards/vouchers (available at retail locations in the US, Europe and now in Arabic-speaking countries as well). It appears that Ransomware is a flourishing business in the cybercrime arena since this type of malware has been proliferating, and attack numbers are on the rise. Ransomware is so popular that although this Winlock type malware can come as a standalone piece, nowadays it is often coupled with other Trojan infections to add monetization schemes to new and existing botnets. Ransom components are sold as ‘plugins’ for some of the well-known banking Trojans including Citadel, Carberp, ICE IX, Zeus, and SpyEye. 

New commercial Ransomware

A recent variant analyzed by RSA researchers revealed a new type of Ransomware, dubbed “Multi-Locker” by its operators. This malware appears to be a commercial creation, destined for sale to cybercriminals interested in launching infection campaigns to spread it. The Multi-Locker ransom and botnet administration control panel were written by a Russian-speaking blackhat, based on a peer’s existing code (the “Silent locker” Trojan). Much like other known Ransomware codes, the malware comes with adapted HTML lock pages designed to appear per each user’s IP address’ geo-location. The pages display in the corresponding language, naming the local national police and demanding ransom in the local currency ($/€/£/other) via prepaid cards/vouchers available in that country.

Multi-Locker is available to cybercriminals through a vendor in underground fraud communities. The malware was announced in the underground in the beginning of October 2012 and offered for sale at USD $899 per kit. In the ad, the vendor guarantees the locking of files on Windows-based machines running any version of Windows, from 2003 to Windows 8. 

Most ransom Trojans to date have been designed to accept prepaid cards or vouchers issued in the US and Europe. Multi-Locker’s vendors are adding their research regarding prepaid media used in Arabic-speaking countries and assure buyers that they will enrich their knowledge to enable them to easily cash out the funds at the end of the line. 

Multi-locker Botnet and control panel

Unlike the majority of ransom Trojans, the Multi-Locker Ransomware was designed with a main point of control that can manage some of the activity of infected bots. The basic control interface shows botmasters some basic statistics such as the total number of bots on that botnet and the payments that come in from each bot. The botnet interface parses each payment made according to the prepaid card type the victim provides.

The panel also displays the botnet’s conversion rate (how many successful infections/ locks out of the entire campaign) at any given moment by showing the total number of lock pages loaded versus the number of bots (that ratio hovering around 20%). 

New features coming soon: DNS-Locker

The most interesting module this Trojan offers is apparently yet to come: DNS Internet Locker. The DNS Locker will be a restriction that will take over the Internet browser, forcing to only display the Ransomware Operator’s HTML lock page, demanding payment for the browser to be released. 

The vendor is very boastful about having researched solutions online and having found none that can help infected users find a way to rid their machines from the malware, adding that even starting the computer in sage mode will not remedy the lock, guaranteeing the future DNS Locker will work on even the newest versions of Windows. 

RSA’s Conclusion

Ransomware were first seen coming from Russia 2005-6 and have since evolved in terms of tactics and scope. Ransomware Malware is particularly lucrative to botmasters operating out of Eastern Europe as almost all were written by Russian-Speaking coders and sold by Russian-Speaking vendors in the Fraud Underground.

Ransomware’s success rate may differ in each country/geography, according to the number of users who decide for the unlocking of the PC. Unfortunately the numbers for this type of attack continue to grow as online users are not very aware of the threat and may attempt to resolve the issue on their own by providing payment to the botmasters.

Phishing Attacks per Month

In November, RSA identified 41,834 unique phishing attacks launched worldwide, making a 24% increase in attack volumes from October. The growth in attacks in November is mostly attributed to the online holiday shopping season as fraudsters try to leverage this time of year to lure victims.

Number of Brands Attacked

In November, 284 brands were targeted in phishing attacks, marking a 6% decrease from October. Of the 284 brands attacked 45% endured 5 attacks or less.

US Bank Types Attacked

Nationwide banks continued to be the most targeted by phishing in November, experienced nearly 80% of all attack volumes.

Top Countries by Attack Volume

In November the US was targeted by 42% of total phishing volume. The U.K accounted for 20% of the attack volume, with India emerging as the third most targeted by volume with 7% of all global attacks. India replaced Canada who saw a significant decrease, from 27% of total attack volumes in October to just 4% in November.

Top Countries by Attacked Brands

In November, the countries that featured the greatest number of targeted brands were the U.S. (30%), still leading by a wide margin, followed by the UK with 11%. Though absorbing a relatively small number of attacks in November, Brazilian brands ranked third of the most targeted with 6%, attesting to the diversity of attacked brands in the country.

Top Hosting Countries

Despite a 6% drop in the month prior, the U.S. continues to be the top hosting country for phishing attacks; one out of every two attacks in November was hosted in the U.S. France was the second top host, accounting for 7% of phishing attacks in November, most of which were hosted by a single ISP.

You might also want to read “What will fraud look like in 2013?”

Previous RSA Online Fraud Report Summaries:

  • The RSA November 2012 Online Fraud Report Summary here.
  • The RSA October 2012 Online Fraud Report Summary here.
  • The RSA September 2012 Online Fraud Report Summary here.
  • The RSA August 2012 Online Fraud Report Summary here.
  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


RSA’s August Online Fraud Report 2012 including a summary of Fraud as a Service (FaaS)

In their August Online Fraud Report RSA reports on the activity of online fraudsters, a summary is below.

A five-year retrospect on Fraud as a Service (FaaS) reveals that the types of services sold today have changed very little; the more noticeable changes came in the shape of scalability, service relevancy, higher availability, better deals, customer support and buyer guarantees.

Underground criminals buy and sell goods and services around the clock. The fact that these markets operate online eliminates borders and physical distance, allowing people from different parts of the world to wheel-and-deal and to partner-up in the orchestration of fraud cash-out cycles without ever meeting or speaking on the phone.

What do they sell?

For phishing – scam pages, complex phishing kits and custom kit plugins, spamming services, email databases, junk traffic, SEO poisoning, email cracking tools, spam software, and SMS spoofers, to name a few. After the attacker gathers the spoils, fraudsters can opt to buy the already-harvested databases of phishing attacks or purchase unitary ‘logins’ in an online shop selling compromised data.

For botmasters –  Trojan-related facilitators exploit kits, malware spam, botnets, Trojan kits, HTML injections, customized malicious code, encryption services, bulletproof hosting, pay-per-installs/affiliate infection schemes, plugins, set-up and tech support.

Hardly ever does one fraudster take on the complete fraud cycle; rather, fraudsters opt to partner with more experienced criminals or offer up their own expertise (such as performing in-store pick up of goods obtained with stolen credit card data). Much like real-world crime, each actor ‘gets his hands dirty’ to different extents. Bottom line – the fraudulent transaction is turned into cash in different ways and the profits are shared among those involved.

Those who don’t have any trustworthy connections in the world of fraud find and use transfer and cash-out services. Money mule, cash-out services and Item-drop mules have become ever so popular, that some vendors have already automated them for those who attempt the bulk of transactions each day bot herders and ‘carders’.

Almost all busy criminals today connect with a mule repository operator and have their fraudulent transactions go through the vendor’s mules, receiving a cut of each successful transaction as per a mutual agreement. Some cases of mule-repositories are part of the fraud cycle of one gang.

Recent underground fraud services:-

Hire a “Man-in-the-Middle”

One of the more interesting recent FaaS offers was found in an underground forum, posted by a Russian-speaking member offering his infrastructure for very temporary hire, alongside his own services as a man-in-the-middle facilitator. The botmaster had a few perks for customers who wish to attempt Trojan attacks without having to set up anything whatsoever:

  • Rent the infrastructure – gain access to infected bots
  • Pay to target and harvest – send over a trigger and a Trojan injection and those will be pushed to existing infected bots on the botnet (through a Trojan configuration file update)
  • Pay to attack – the botmaster will facilitate fraudulent transaction attempts using his Trojan’s remote administration access to bots

Buy a Botnet

The vendor behind this offer was also working in collaboration with other cybercriminals, each offering a related service a bot herder would need for the set up and operation of a botnet.

Automated Customer Support

In the recent past, Trojan developers only offered support via live chat using instant messaging services (Jabber, ICQ). A developer could only support a limited number of chats until the burden of supporting his customers became too great and support deteriorated or stopped altogether.

Trojan developers did understand the substantial need for customer/technical support and took pains to find new ways to preserve their customer base. To get an idea about just how ‘real’ customer support has become, take a quick look at this SpyEye vendor’s page. Notice the headers on the page; much like legitimate software companies – they direct users to an FAQ page, an “About SpyEye” section, and provide a detailed web form that can be sent directly to the vendor’s alleged support team, automating the process.

Many of today’s fraud service vendors put strong emphasis on supporting their buyers, offering guarantees and assistance, from the exchange of faulty or invalid cards and access credentials, all the way to providing set-up, tutorials, and tech support to those who have to operate on going online fraud operations (botnets, CC shops, exploits etc.).

One cannot mention excellent cybercrime customer support today without “Citadel” coming to mind. The team developing the Citadel Trojan has long established itself as the new go-to crimeware vendor, well on their way to inheriting the Zeus Trojan market share they built upon. The most unique feature this team offers to botmasters using Citadel is a clever CRM model that supports, tickets, listens and advises members on how to set up and operate their Trojans. The CRM is not optional! All botmasters must join it and pay a fixed monthly fee for their membership.

RSA’s conclusion

A better cybercrime marketplace, much like organized crime in the physical world, increasingly affects the world’s economy by the sheer amounts of money it taxes it every year. The worst part about this dark economy is its faceless, covert nature and thus the hardship in quantifying and understanding the extent of its damage.

Stronger crime economies are a burden on the legitimate economy in hard costs but do not stop there. This large scale clandestine operation also affects crime statistics and touches real-life aspects of law enforcement and the legal system. Due to cybercrime’s global, scattered nature, fighting it often requires internationally coordinated investigations and arrests, further taxing the resources of each nation touched by digital crimes.

Phishing Attacks per Month

Phishing attacks in July increased 14% from June, marking yet another high of 59,406 attacks in a single month. In examining an overall spike in attacks, the bulk of last month’s increase can be attributed to highly targeted phishing campaigns launched against a series of financial institutions in Europe.

Number of Brands Attacked

In July, a total of 242 brands were targeted with phishing attacks, marking a 7% drop from June. As compared to July 2011, last month’s list of phishing targets demonstrates a 25% year-over-year drop in the number of targeted brands.

US Bank Types Attacked

There was very little change in how the U.S. banking sector was targeted by phishing in July. Nationwide banks still continue to be targeted by about three out of every four phishing attacks. This reflects the tendency of cybercriminals to attack larger financial institutions.

Top Countries by Attack Volume

For the fifth consecutive month, the UK was targeted by the highest volume of phishing attacks, followed by the U.S. and Canada. The UK endured 70% of worldwide attacks, its highest portion ever.

Top Countries by Attacked Brands

Although the UK was targeted by 70% of phishing volume in July, the U.S. continues to be the country with the greatest number of targeted brands. Brands in the U.K., Brazil, India, and Australia collectively were targeted by 27% of attacks in July.

Top Hosting Countries

The U.S. hosted 79% of worldwide phishing attacks last month, its highest portion to date according to the RSA Anti-Fraud Command Center. Canada, the UK and Germany accounted for hosting an additional 10% of attacks.

Previous RSA Online Fraud Report Summaries:

  • The RSA July 2012 Online Fraud Report Summary here.
  • The RSA June 2012 Online Fraud Report Summary here.
  • The RSA April 2012 Online Fraud Report Summary here.
  • The RSA March 2012 Online Fraud Report Summary here.
  • The RSA February 2012 Online Fraud Report Summary here.
  • The RSA January 2012 Online Fraud Report Summary is here.
  • The RSA December 2011 Online Fraud Report Summary is here.
  • The RSA November 2011 Online Fraud Report Summary is here.
  • The RSA October 2011 Online Fraud Report Summary is here.
  • The RSA September 2011 Online Fraud Report Summary is here.


RSA’s February Online Fraud Report

In their February Online Fraud Report RSA shed light on one of the latest Fraud-as-a-Service (FaaS) offerings to be purveyed in the criminal underground, a new release of the “Darkness”, aka “Optima,” DDoS bot crimeware; a commercially available toolkit that not only allows fraudsters to launch DDoS attacks at a target of their choice, but which has also been enhanced with several Trojan-like functionalities.

The ‘Darkness’ DDoS bot is used to perpetrate DDoS attacks by flooding targeted websites with junk traffic originating from unwitting users’ systems. The first version of Darkness saw light in March 2009, and according to the Russian-based fraudster who posted the ad and claims to manage the Darkness “project,” the latest release contains several improvements such as enhanced flooding capabilities, an improved password grabber module, and a new module that installs SOCKS5 on victims’ systems. The vendor behind the ad claims to have been “verified” within Russian-speaking forums, and offers interested parties links to reviews of his product.

Darkness was originally coded to be the DDoS weapon of choice, but since then, several new modules have been authored for the bot, bestowing it with Trojan-like functionalities. And much like Trojan authors, Darkness’ coders have established a few security mechanisms to hinder their product’s operations from being shut down. Demonstrating the invisible hand of the market forces that govern the underground supply chain, this latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks.

The business of selling the Darkness bot

The Darkness bot is sold as a compiled binary, for which the customer can define three Command & Control (C&C) server domains  in order to ensure operational continuity in the event of a server takedown (by LE, ISPs, CERTs, etc.).

Darkness is sold as a FaaS offering with a customer receiving a complete, fully operational administration panel on the C&C domains of his choice.

While a “Minimum” package containing the DDoS bot binary is sold for $330, a “Brilliant” package offered for $850 includes unlimited free updates, a full set of modules and unlimited ‘free’ recompiles (“rebuilds”). Further demonstrating the FaaS business model, additional services and bot features are sold separately:

  • The Darkness bot’s source code (version 10) – $3,500-$5,000
  • Individual rebuilds – $35
  • Bot updates – $85
  • Socks5 module – $250
  • Key logger module – $55
  • Password grabber – $50
  • Hosts file editor – $35

After paying for the bot’s setup, all a fraudster would have to do is infect victims’ systems using an exploit kit of his choosing. As soon as a system is infected, it appears on the customer’s web panel, with such details as country, IP address, OS, and user privileges (admin vs. user account). According to the ad, “Excellent bilingual support (Ru, Eng)” is provided.

Interestingly, to avoid liability issues, the writer of the ad disclaims any use of the Darkness bot for purposes other than IT testing.

DDoS functionality

The Darkness bot offers four types of DDoS attacks:

  1. HTTP: An attack method whereby bots flood a targeted website’s resources by sending it an overwhelming number of standard HTTP (HyperText Transfer Protocol) requests.
  2. ICMP: An attack whereby bots send data packets over the ICMP protocol (Internet Control Message Protocol), and flood all the systems operating behind a network by targeting a range of IP addresses  instead of a single IP or domain. This method exploits network devices that have not been properly configured to thwart this kind of attack.
  3. SYN: An attack that initiates a great number of TCP connections, which can only be established when a three-way handshake between two systems (a client and server) has been completed. SYN attacks drain a targeted site’s resources by initiating numerous TCP connections, but never properly completing the three-way handshake. This results in the targeted site (server) needlessly ‘waiting’ for an acknowledgement (by the client) of the new TCP connection and its being rendered unavailable for legitimate traffic.
  4. UDP: Attacks deploying  the UDP protocol (User Datagram Protocol) rely on the fact that for every erroneous  UDP packet  sent to a given resource, an ICMP Destination Unreachable packet needs to be returned, serving as an “Error, Return to Sender” message. Flooding the targeted site with incoming UDP packets  results in a counter- flood of outgoing  ICMP Destination Unreachable packets, which ultimately render the site unavailable to legitimate users.

According to a Darkness ad reported in 2010, an average website can be brought down using only 30 infected systems (bots), while 1,000 would be required for large website. The writer of the Darkness ad further claims that a high-profile website like (Russian social network), which in November 2010 reported 100 million users, would require 15,000-20,000 bots.

Trojan-like modules

Modules added to the latest release of the Darkness bot (version 10), enhance the code with functionalities typical of Trojan codes, and are sold separately much like commercial Trojan add-ons:

  • Mini-Loader Function: The ad mentions that the bot has a “Mini-Loader function: it’s possible to load your  EXE files to the bots.” Thanks to this functionality, fraudsters looking to download a financial Trojan to an already-infected system can easily do so.
  • SOCKS5 Backconnect Module: SOCKS5 modules are often installed on victims’ systems by financial Trojans, enabling fraudsters to exploit users’ systems as proxies; a feature that allows fraudsters to ‘backconnect’ from a Command & Control server to a targeted website via the victim’s system. This module enables fraudsters to access a site while appearing to operate from the victim’s IP address.
  • Password Grabber Module: The password grabber offered by the bot’s vendor can grab passwords from 14 different applications, including various FTP sites, instant- messaging programs, and webmail programs, as well various online forms.
  • Hosts File Editor Module: This functionality enables botmasters to reroute victims to malicious websites by editing their hosts file, which is a local file that serves as the first point of reference when a user’s system searches for an internet resource, such as a domain or IP address. Brazilian Banker Trojans often edit victims’ hosts files to reroute them to phishing pages that mimic targeted banks’ websites.
  • Key logger Module: This module enables Darkness operators to log all the keystrokes entered online by their victims – a feature that is rarely used by today’s advanced Trojans, given their ability to intercept all HTTP and HTTPs communications (for example, the Zeus Trojan and its derivatives no longer keylog at all.)

Security countermeasures

Darkness’ coders have invested some effort in attempting to conceal their product’s operation. As mentioned above, each Darkness binary can be configured with up to three different C&C server domains, enabling backup of the bot’s resources in the event of a domain’s suspension or a server takedown. In addition, they claim that the bot can bypass Windows’ firewall, and that it employs “some trick to bypass DDoS Protections.” While the ad claims that Darkness’ processes and resources remain invisible to the user, a previous version of the bot has reportedly failed to disguise its processes.

DDoS attacks and hacktivism

This latest criminal offering is being rolled out in the fraudster community following a year that has been replete with numerous hacktivist DDoS attacks initiated by various groups such as Anonymous, TeamPoison, AntiSec, LulzSec, and others. In 2011, high-profile victims of DDoS attacks waged by hacktivist groups included: Sony’s Playstation Network, the CIA’s website, the FBI, UK tabloid The Sun, the Spanish Police, and the government websites of Egypt, Tunisia and Turkey.

The latest set of DDoS attacks was launched last month by Anonymous (January 19, 2012), its victims comprising proponents of the controversial SOPA and PIPA bills, including the Recording Industry Association of America (RIAA), Motion Picture Association of America (MPAA), Broadcast Music, Inc. (BMI), and the FBI.

The weapon of choice for some of these attacks was Low Orbit Ion Cannon (LOIC), a free open-source program that can also serve legitimate purposes, such as testing the durability of an Internet resource in the event of a DDoS attack.  To launch an orchestrated attack that leverages their power as a community, fraudsters installed the program on their system, willingly forming a large botnet that was controlled by a central Command & Control server. At a predefined time, the C&C server issued a command to the fraudsters’ systems to start flooding victim sites with junk traffic, resulting in their temporary ‘denial of service.’

Aligning itself with the invisible hand of demand, the “Darkness” bot satisfies fraudsters’ increasing motivation to unite against perceived foes, while also fulfilling a role of a user- friendly malware kit.

And “Darkness” is not the only Trojan kit from which fraudsters can launch DDoS attacks. In March 2011, the FraudAction Research Lab reported  on a DDoS plugin traced in a variant of the SpyEye Trojan. The DDoS plugin, however, is not sold as part of the SpyEye Trojan kit, but rather it was privately developed by an individual botmaster. Recent versions of the SpyEye builder are sold with a Software Development Kit (SDK) to facilitate the development of new modules by individual botmasters.

In light of a growing interest in the underground to launch DDoS attacks against financial institutions, data security companies, law enforcement agencies, and various government bodies, we are likely to see a growing number of DDoS-enabling modules and malware kits offered in the underground market in the near future.

Phishing Attacks per Month

The year 2012 has started off with a 42% increase in the number of phishing attacks launched, with 29,974 unique attacks identified by RSA in January. Last month also saw an increase in the total number of brands attacked and the number of attacks endured by individual brands.

Number of Brands Attacked

A total of 281 brands were targeted by phishing attacks in January, marking a 10% increase from the number of targets recorded in December 2011.

US Bank Types Attacked

Nationwide U.S. brands accounted for 68% of the brands targeted in the U.S. financial sector, marking a 14% decrease from December 2011. Also in January, the portion of targeted U.S. credit union brands increased 13% and U.S. regional bank brands increased 4%.

Top Countries by Attack Volume

The UK has remained the country targeted by the highest volume of phishing attacks for the fifth consecutive month with a 10% increase since last month. In total, the UK was targeted by 60% of the world’s phishing attacks in January. While the U.S. saw a 5% decrease in the volume of attacks, the volume targeting Canada increased by 2%. The countries that have consistently suffered the largest volume of phishing attacks over the past year have been the UK, U.S., Canada, and the Netherlands.

Top Countries by Attacked Brands

Combined, U.S. and UK brands accounted for 44% of January’s phishing attacks. Twenty-one (21) other countries absorbed a combined portion of 56% of the world’s attacks, with each country accounting for one to 4% of the world’s targeted brands.

Top Hosting Countries

In January, U.S.-based hosting entities exceeded their normal share of phishing attacks, hosting 82% of worldwide phishing attacks as compared to 50 – 70% of attacks in a typical month.

Previous RSA Online Fraud Report Summaries:

  • The RSA January Online Fraud Report Summary is here.
  • The RSA December Online Fraud Report Summary is here.
  • The RSA November Online Fraud Report Summary is here.
  • The RSA October Online Fraud Report Summary is here.
  • The RSA September Online Fraud Report Summary is here.


Create a free website or blog at

Up ↑

%d bloggers like this: