RSA Monthly Online Fraud Report -- February 2013


Published on

This monthly report highlights the most recent phishing trends witnessed by RSA in January 2013.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

RSA Monthly Online Fraud Report -- February 2013

  1. 1. PHISHING KITS – THE SAME WOLF, JUSTA DIFFERENT SHEEP’S CLOTHINGFebruary 2013 Phishing still stands as the top online threat impacting both consumers and the businesses that serve them online. In 2012, there was an average of over 37,000 phishing attacks each month identified by RSA. The impact of phishing on the global economy has been quite significant: RSA estimates that worldwide losses from phishing attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2 billion if the average uptime of phishing attacks had remained the same as 2011. This monthly highlight goes beyond the growing numbers recorded for phishing attacks and looks deeper into the evolution of attack tactics facilitating the sustained increase witnessed over the last year. START LEGIT, THEN GO BAD Phishing kits recently analyzed by RSA show another phish tactic increasingly used by phishers. Although this is not entirely new, it is interesting to see it implemented by miscreants planning to evade email filtering security. The scheme includes a number of redirections from one website to another. What kit authors typically do in such cases is exploit and take over one legitimate website, hijacking it but not making any changes to it. They will be using this site as a trampoline of sorts, making their victims reach it and then be bounced from there to a second hijacked website: the actual phishing page. What good can this serve? Simple: the first site is purposely preserved as a “clean” site so that phishers can send it as an unreported/unblocked URL to their victims, inside emails that would not appear suspicious to security filtering. The recipient will then click the link, get to the first (good) URL and be instantly redirected to the malicious one.FRAUD REPORT
  2. 2. Another similar example is reflected in time-delayed attacks – again, not new, but increasingly used by attackers. This variation uses the same clean site, sends the email spam containing the “good” URL and stalls. The malicious content will only be loaded to the hijacked site a day or two later. These are often weekend attacks, where the spam is sent on a Sunday, clears the email systems, then the malicious content is available on Monday. The same scheme is used for spear phishing and Trojan infection campaigns. PHISH FRIDAY Research into attack patterns proves that Fridays are a top choice for phishers to send targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes to phishing, phishers make it their business to know their targets as well as possible. It stands to reason that employees may be a little less on guard on the last day of the week, clean their inbox from the week’s emails and browse the Internet more – making them more likely to check out a link they received via email that day. TYPO SQUATTING – DOUBLE TIME Typo squatting is a common way for phishers to try and trick web users into believing they are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting is registering a website for phishing, choosing a domain name that is either very similar to the original or visually misleading. The most common ways of doing this are: –– Switching letters, as in bnak or bnk for “bank” –– dding a letter at the end of the word or doubling in the wrong place, as in Montterrey A for “Monterrey” –– Swapping visually similar letters Phishers are creative and may use different schemes to typo squat. This phish tactic can be noticed by keen-eyed readers who actually pay close attention to the URL they are accessing, however, for more individuals on a busy day, typo squatting can end with an inadvertent click on the wrong link. This is especially important today, since fake websites look better than ever and are that much harder to tell apart.Typo-squattingPhishing email leading to a Twitterreplica website registered by afraudster using typo-squatting page 2
  3. 3. A quick search engine search for domain immediately revealed that it wasregistered by someone in Shanghai and already reported for phishing.But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. You’d think that by now phishers would have learned that theirspelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t.This could be in part due to the fact that many kit authors are not native English speakersBOUNCER PHISHING – STRANGERS KEEP OUTAnother phish tactic analyzed by RSA in the recent month came in the shape of a kit thatselected its audience from a 3,000 strong pre-loaded list. It may sound like a long list,but is it very limiting in terms of exposure to the phishing attack itself.This case showed that phishers will use different ways to protect the existing campaigninfrastructure they created and make sure strangers, as in security and phish trackers,keep out of their hijacked hostage sites while they gather credentials and ship them outto an entirely different location on the web.WATER-HOLING – REVERSING THE ROLESWater-holing in the phishing context became a tactic employed by attackers looking toreach the more savvy breed of Internet users. Instead of trying to send an email to asecurity-aware individual, attempting to bypass security implemented in-house andreinventing the phish, water-holing is the simple maneuver of luring the victim out tothe field and getting him there.A water-hole is thus a website or an online resource that is frequently visited by thetarget-audience. Compromise that one resource, and you’ve got them all. Clearly fullypatched systems will still be rather immune and secured browsers that will not allow thedownload of any file without express permission from the user will deflect the malware.Water-holing has been a tactic that managed to compromise users by using an exploitand infecting their machines with a RAT (remote administration tool). This is also thesuspected method of infection of servers used for the handling of payment-processingdata. Since regular browsing from such resources does not take place on daily basis, theother possibility of a relatively wide campaign is to infect them through a resource theydo reach out to regularly.Water-holing may require some resources for the initial compromise of the website thatwill reap the rewards later, but these balance out considering the attacker does not needto know the exact contacts/their email addresses/the type of content they will expect orsuspect before going after the targeted organization.CONCLUSIONAlthough there is not much a phishing page can surprise with, one can’t forget that theactual page is just the attack’s façade. Behind the credential-collecting interface layincreasingly sophisticated kits that record user hits and coordinates, push them from onesite to the next, lure them to infection points after robbing their information and alwaysseeking the next best way to attack. According to recent RSA research into kits, changes inthe code’s makeup and phish tactics come from intent learning of human behaviorpatterns by logging statistical information about users and then implementing thatknowledge into future campaigns. page 3
  4. 4. 59406 60000Phishing Attacks per Month 51906 49488In January, RSA identified 30,151 attacks 50000launched worldwide, a 2% increase in 41834 Source: RSA Anti-Fraud Command Centerattack volume from December. Considering 40000 37878 35558 35440historical data, the overall trend in attack 33768 29974 29581 30151numbers in an annual view shows slightly 30000lower attack volumes through the first 21030quarter of the year. 19141 20000 10000 0 Jan 12 Feb 12 Mar 12 Apr 12 May 12 Jun 12 Jul 12 Aug 12 Sep 12 Oct 12 Nov 12 Dec 12 Jan 13 350 314 303 298 288 290 291 300 281 281 284 269 259 257 Source: RSA Anti-Fraud Command Center 242 250Number of Brands Attacked 200In January, 291 brands were targeted in 150phishing attacks, marking a 13% increasefrom December. 100 50 0 Jan 12 Feb 12 Mar 12 Apr 12 May 12 Jun 12 Jul 12 Aug 12 Sep 12 Oct 12 Nov 12 Dec 12 Jan 13 page 4
  5. 5. 100 19% 3% 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15%US Bank Types Attacked 11% 12% 9% 15%U.S. nationwide banks continue to be the 80 13% 21% 30% 18% 15% 15% 14% 14% 15%prime target for phishing campaigns – Source: RSA Anti-Fraud Command Centertargeted by 70% of the total phishing volume 60in January. Regional banks’ attack volumeremained steady at 15%, while attacksagainst credit unions increased by 9%. 40 20 68% 76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 0 Jan 12 Feb 12 Mar 12 Apr 12 May 12 Jun 12 Jul 12 Aug 12 Sep 12 Oct 12 Nov 12 Dec 12 Jan 13 a Australia South Korea Canada China Germany UK South Africa 3% Canada 4% India 4%Top Countries by Attack VolumeThe U.S. was targeted by phishing most in United Kingdom 10%January – with 57% of total phishingvolume. The UK endured 10%, followed byIndia and Canada with 4% of attackvolume respectively. U.S. 57% 43 Other Countries 22% page 5
  6. 6. Italy 3% a US S Africa China Italy Canada Netherlands India Bra Brazil 3% Canada 4% 40 Other Countries 37% France 4%Top Countries by Attacked Brands Australia 4%Brands in the U.S were most targeted inJanuary; 30% of phishing attacks were India 4%targeting U.S. organizations followed bythe UK that represented 11% of worldwidebrands attacked by phishers. Othernations whose brands were most targeted United Kingdom 11%include India, Australia, France and Brazil. U.S. 30% a US S Africa China Italy Colombia 3% Canada Netherlands India B United Kingdom 4%Top Hosting Countries Germany 6%In January, the U.S. remained the top Canada 6%hosting country, accounting for 52% ofglobal phishing attacks, followed byCanada, Germany, the UK and Colombiawhich together hosted about one-fifth of U.S. 52%phishing attacks in January. 56 Other Countries 29% page 6
  7. 7. CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at ©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their holders. FEB RPT 0213