Your SlideShare is downloading. ×
RSA Monthly Online Fraud Reports - November 2011
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

RSA Monthly Online Fraud Reports - November 2011


Published on

RSA Monthly Online Fraud Reports - November 2011

RSA Monthly Online Fraud Reports - November 2011

Published in: Technology, News & Politics

1 Comment
  • free free download this latest version 100% working.
    download link-
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. JOIN THE PHISHING EVOLUTIONNovember 2011 OVERVIEW Today, most Internet users have heard about phishing or have already been affected by phishing to some extent. And while the term phishing has been discussed since as early as 1996, the world has not been able to rid itself from this phenomenon. Phishing is still easily one of the top threats on the Internet; its direct and indirect costs tax the global economy with billions of dollars in fraud losses every year. Let’s take a look at how the phishing threat started and the ways in which it has evolved with attacks becoming more sophisticated and targeted over time. THE HUMBLE BEGINNINGS OF PHISHING The term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them. ‘Phishers’ used to go after compromised e-mail accounts in order to send out spam. In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts. Phishing became a fraudster’s gold rush.FRAUD REPORT
  • 2. THE EVOLUTION OF PHISHINGFrom the tactics to the targets, phishing has evolved rapidly in a relatively small amountof time. Let’s take a look at the evolution of one of the longest-standing Internet threats.The Ploys ChangedEvery phishing attack begins with some sort of ploy. Regardless of the method of deliveryof the phishing URL or the e-mail containing the phishing HTML page, the web user has tobe convinced that he needs to go to that page for a reason valid enough to then impartwith personal and financial information. Before Now Initial phishing ploys delivered a hyper- Recent ploys have kept the good old tale. link inside an e-mail, urging the potential An e-mail tells you it was sent from your victim to take immediate action. bank, credit card issuer, or another Most times, if action was not taken, the important part of your life, urging victims alleged consequence would result in some to update certain information immediately sort of a penalty (account suspension or or risk having their accounts closed or closure). suspended. Newer ploys insert other human motivators into the mix. Rewards: Tax refunds, lottery winnings. Obligation: Fraudulent tax reporting. Curiosity: ‘Look who has been searching for you’ Right the wrong: Fake order confirmations from known online merchants or shopping sites.Look and Feel Upgraded Before Now Phishing pages were rather easy to Although some phishing attacks today are identify, presenting patchy and blurry- still lacking in finesse, most new attacks looking logos (copied from the genuine create communications to potential websites), broken hyperlinks, and victims that are almost identical to that erroneous data fields inside the pages of the targeted entity. were very common. Sophisticated phishing pages pull the Both phishing e-mails and pages genuine website’s HTML code directly contained numerous evident spelling from the source; making the replica look and syntax errors. as good as the original and allowing the phisher to achieve the exact same look and feel victims would expect to see. page 2
  • 3. Phishing Campaigns ExpandedPhishers have advanced with the times. Today’s professional phishing perpetrators optfor modern-day evasion techniques to bypass spam filter mechanisms. Beyond sendingspam or links, Local Pharming sends the victim to phishing pages, and DNS poisoningresolves the victim’s requests to phishing sites. Fraudsters even go to the length ofSearch Engine Optimization (SEO) poisoning in order to ensure that potential victimsland on their phishing pages.Phishing campaigns have also expanded their horizons in terms of the geographies andthe number of worldwide brands they target. Before Now Phishing campaigns were delivered via Recent phishing campaigns use a variety e-mail spam. of delivery methods, moving away from e-mail and into Instant Messaging platforms (sending the URL from ‘friends’ with a message to access a link). Spam comments flood social networking sites, posted to friends’ “walls,” spam messages are sent from alleged friend groups, urging users to access the URL. These ploys are used both for credential phishing and for malware infections. Phishing was sent via hijacked e-mail Phishing sent via spam botnets are accounts capable of sending out billions of e-mail daily. The campaigns almost always Phishing campaigns have expanded and communicated a message in English. evolved into using at least 16 different languages. Phishing targeted a few major brands with Phishing expanded its horizons and now a strong aim on financial institutions. targets a steady growing number of brands across geographic regions. The brand diversity has also increased with attacks going after companies such as worldwide manufacturers, airlines, online auctions, and e-commerce shops and retailers, just to name a few.The Average Phisher ChangedSuccessful phishing is no longer conducted by the same fraudsters one would imagine,sitting in a basement and launching small time attacks. Phishing, and those whoorchestrate its cycle, have become much more organized; today’s fraudsters embracecapitalism, making crime their business. For some, fraud is a full-time job and solesource of income. page 3
  • 4. Phishers study their market and make money by learning the weaknesses of others,leaving their victims and their victims’ service provider to pick up the tab. Anti-virusproviders have noticed thatpPhishers are most active during weekdays, with a noticeabledrop in activity over the weekend – taking time to enjoy a day off like anyone workingaround the clock would.From investing into more technical phishing kits, to paying for successful spamcampaigns, to looking for collaborations, discounts and a proper ROI, phishersactively seek methods and measures to ensure maximum profitability.The Targets of Phishing Changed Before Now Gullible Internet users; unaware and Phishing can be as sophisticated as unsuspecting consumers were the ones making a savvy and aware individual fall who ‘fell’ for phishing more often. for a well-crafted hoax e-mail. Some recent content sent to business people, either as spear-phishing scams or as spam, looked real enough that they could have incited even the most intelligent and discerning individuals to act upon the e-mail. Example: Sending an order confirmation with full information on the order’s contents to someone who had never ordered the goods. The person’s first reaction would be to click the hyperlink and to dispute the order. Example: A hoax sent to military personnel asked them to click the link to confirm their attendance in an important retirement party instead infected them with malware.The Hosting Methods EvolvedA phishing attack can only exist once it reaches its destination audience and is ‘available’for them to read and respond to it. This is phish hosting. The hosting of attacks isprobably the one aspect to have consistently evolve, having introduced new methodsfor an attack to be kept alive.Fraudsters have gone to great lengths to innovate in spoofing sites, exploiting contentmanagement systems, hijacking sites, using fast-flux proxies, bulletproof infrastructures,standalone attacks (using web form services to communicate stolen credentials), localHTML attack forms which open locally on the victim’s PC – all in the name of hostingphishing attacks that will not be easily blocked, detected or taken down.Online vendors and the financial industry started taking phishing attacks a lot moreseriously, developing measures to mitigate risks and fight back. The public has learnedmore and been made aware of phishing, repeatedly told by banks not to divulge theirinformation and to be suspicious of any communication that requests them to entertheir personal details. page 4
  • 5. Phishers are aware of the mechanisms being deployed to stop their attacks. As to notlet any of these deter them from their efforts to make more cash, phishers have beenembracing web application security research and use discovered vulnerabilities forhijacking websites and for maximum exposure for each attack.RSA has already reported vulnerability exploits made to ensure mass hijacking ofotherwise legitimate websites for the purposes of hosting phishing pages (e107 exploits,WordPress vulnerability – which is still unpatched and exploited today). The morecommitted a phisher is, the more inclined he would be to pay for exploits to beprogrammed by professional malware authors and use crafty ways to deliver an attack,host it and have the credentials stolen and sent to his drop (either a drop e-mail addressor a drop routed from the attack’s URL). Before Now Phishing pages requested the victim’s Phishing pages request that users enter username and password. elaborate data sets, now including secret questions, contact details, payment card data, numbers found on identification documents (SSN, Driver’s license, passport number), and even demographic details: Age, DOB, Nationality. Phishing pages only contained the Phishing pages also contain drive-by- phish data fields designed to harvest downloads or infections points for information and forward it to the Trojans or exploit kits. hands of the fraudster. Some phishing pages studied by RSA revealed a delayed-release type of operation, where a hijacked site began by displaying phishing, then added redirections to Trojan infection sites, and last, redirected users to explicit adult content sites harboring more malware.Added Plug-insOlder phishing kits were rather basic, often available free of charge, and almost alwaysbugged by their writer who included handy scripts designed to have him share in theimpending credentials harvest.Newer phishing kits have evolved into more robust codes sold for money. Often, theseelaborate kits are also the ones which include special plug-ins. Some of these plug-insinclude:– A spam crawler designed to help the phisher create hefty spam lists through large webmail service providers– An MiTM feature designed to check the validity of just-harvested credentials against the genuine bank’s website (quality control)– A script add-on to collect the victim’s basic system specs (screen resolution, browser version, victim’s time zone)– RSA has already reported about a web-based interface which generated phishing pages, ready for use online. This interface was a one-stop-shop, managed by one administrator who had ‘subscribers’ register to the service, providing them with e-commerce phishing necessities. page 5
  • 6. 38970 40000 35000Phishing Attacks per Month 30000 Source: RSA Anti-Fraud Command Center 26907In October, phishing volume dropped 25191 24019nearly 40 percent – from 38,970 attacks 25000 23097 22516in September to 24,019 attacks. This 20000 17579 17579 16355 18079 17586 17376decline was mainly due to a drastic 16047reduction in the number of phishing 15000attacks targeting brands that were 10000heavily attacked in September. 5000 0 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 400 376 349 351 342 350 321 301 300 298Number of Brands Attacked 300 Source: RSA Anti-Fraud Command Center 268 257 250 236Last month, 298 brands were targeted withphishing attacks, marking just a slight 200 200 181drop from September. Eleven brandsendured their first attack in October while 15051 percent of the brands targeted last 100month endured less than five attacks each. 50 0 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 page 6
  • 7. 100 10% 10% 8% 11% 9% 11% 15% 12% 11% 10% 19% 6% 14%US Bank Types Attacked 80 25% 19% 18% 15% 15% 18% 22% 12% 20% 23% 20% 25% 12%The portion of brands targeted among U.S. Source: RSA Anti-Fraud Command Centercredit unions increased eight percent while 60brands targeted among U.S. regional bankssaw a 13 percent decrease in October (from 4025% to 12%). However, U.S. nationwidebank brands continue to endure the highestnumber of attacks, accounting for nearly 75 20percent in October. 65% 71% 74% 74% 76% 71% 63% 76% 69% 67% 61% 69% 74% 0 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sept 11 Oct 11 Other Countries 2% a Australia South Korea India 2% Canada China Colombia 1% Germany UK France Nethe Australia 2% Netherlands 2% Canada 3%Top Countries by Attack Volume Brazil 4% United Kingdom 37%In October, the UK continued to be thecountry that endured the most phishingattacks, just slightly ahead of the U.S. by a South Africa 11%mere one percent. South Africa enduredeleven percent of the phishing volume inOctober, followed by Brazil and Canada. U.S. 36% page 7
  • 8. South Africa 2% Italy 2% a US S Africa Colombia 2% China Italy China 2% Canada Netherlands India Bras Germany 2% Mexico 2%Top Countries by Attacked Brands India 4%Together, the US and UK accounted for U.S. 33% Australia 4%46% of the world’s targeted brands inOctober. Brands in Canada, Brazil, Brazil 5%Australia and India accounted fornearly 20 percent of attacks, as well. Canada 5% United Kingdom 13% 37 Other Countries 24% Ukraine 2% USA Australia South Korea Brazil 2% Canada China Germany UK France Net Russia 2% Australia 2%Top Hosting Countries Canada 3%In October, the US hosted 54 percent of France 3%the world’s phishing attacks, followed by Netherlands 3%Germany with seven percent and the UK United Kingdom 4%with four percent. Since October 2010, the U.S. 54%only countries that have consistentlyhosted the highest portions of phishing Germany 7%attacks have been the US, UK, Germany,France and Russia. 73 Other Countries 18% CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at ©2011 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. NOV RPT 1111