Phishing kits are evolving to evade detection by using legitimate websites as intermediaries to redirect victims to phishing pages. Phishers also employ time delays so malicious content isn't loaded until after the spam email clears filters. Fridays are popular for spear phishing since employees may be less vigilant at the end of the week. Typo squatting, where minor spelling errors are used in domains, remains an effective tactic. Phishers also limit their audiences and protect infrastructure using "bouncer phishing". Water-holing compromises frequented websites to infect broad audiences. Phishing continues to evolve based on analyzing human behavior.
1. PHISHING KITS – THE SAME WOLF, JUST
A DIFFERENT SHEEP’S CLOTHING
February 2013
Phishing still stands as the top online threat impacting both consumers and the
businesses that serve them online. In 2012, there was an average of over 37,000
phishing attacks each month identified by RSA. The impact of phishing on the global
economy has been quite significant: RSA estimates that worldwide losses from phishing
attacks cost more than $1.5 billion in 2012, and had the potential to reach over $2
billion if the average uptime of phishing attacks had remained the same as 2011.
This monthly highlight goes beyond the growing numbers recorded for phishing attacks
and looks deeper into the evolution of attack tactics facilitating the sustained increase
witnessed over the last year.
START LEGIT, THEN GO BAD
Phishing kits recently analyzed by RSA show another phish tactic increasingly used by
phishers. Although this is not entirely new, it is interesting to see it implemented by
miscreants planning to evade email filtering security.
The scheme includes a number of redirections from one website to another. What kit
authors typically do in such cases is exploit and take over one legitimate website,
hijacking it but not making any changes to it. They will be using this site as a trampoline
of sorts, making their victims reach it and then be bounced from there to a second
hijacked website: the actual phishing page.
What good can this serve? Simple: the first site is purposely preserved as a “clean” site
so that phishers can send it as an unreported/unblocked URL to their victims, inside
emails that would not appear suspicious to security filtering. The recipient will then
click the link, get to the first (good) URL and be instantly redirected to the malicious one.
FRAUD REPORT
2. Another similar example is reflected in time-delayed attacks – again, not new, but
increasingly used by attackers. This variation uses the same clean site, sends the email
spam containing the “good” URL and stalls. The malicious content will only be loaded to
the hijacked site a day or two later. These are often weekend attacks, where the spam is
sent on a Sunday, clears the email systems, then the malicious content is available on
Monday. The same scheme is used for spear phishing and Trojan infection campaigns.
PHISH FRIDAY
Research into attack patterns proves that Fridays are a top choice for phishers to send
targeted emails to employees – spear phish Friday if you will. Why Friday? When it comes
to phishing, phishers make it their business to know their targets as well as possible. It
stands to reason that employees may be a little less on guard on the last day of the week,
clean their inbox from the week’s emails and browse the Internet more – making them
more likely to check out a link they received via email that day.
TYPO SQUATTING – DOUBLE TIME
Typo squatting is a common way for phishers to try and trick web users into believing they
are looking at a legitimate URL and not a look-alike evil twin. The basics of typo squatting
is registering a website for phishing, choosing a domain name that is either very similar to
the original or visually misleading. The most common ways of doing this are:
–– Switching letters, as in bnak or bnk for “bank”
–– dding a letter at the end of the word or doubling in the wrong place, as in Montterrey
A
for “Monterrey”
–– Swapping visually similar letters
Phishers are creative and may use different schemes to typo squat. This phish tactic can
be noticed by keen-eyed readers who actually pay close attention to the URL they are
accessing, however, for more individuals on a busy day, typo squatting can end with an
inadvertent click on the wrong link. This is especially important today, since fake websites
look better than ever and are that much harder to tell apart.
Typo-squatting
Phishing email leading to a Twitter
replica website registered by a
fraudster using typo-squatting
page 2
3. A quick search engine search for domain iwltter.com immediately revealed that it was
registered by someone in Shanghai and already reported for phishing.
But the notion plays against phishers in other aspects. Typos are one of the oldest tell-
tale signs of phishing. You’d think that by now phishers would have learned that their
spelling mistakes and clunky syntax impairs their success rates, but luckily, they haven’t.
This could be in part due to the fact that many kit authors are not native English speakers
BOUNCER PHISHING – STRANGERS KEEP OUT
Another phish tactic analyzed by RSA in the recent month came in the shape of a kit that
selected its audience from a 3,000 strong pre-loaded list. It may sound like a long list,
but is it very limiting in terms of exposure to the phishing attack itself.
This case showed that phishers will use different ways to protect the existing campaign
infrastructure they created and make sure strangers, as in security and phish trackers,
keep out of their hijacked hostage sites while they gather credentials and ship them out
to an entirely different location on the web.
WATER-HOLING – REVERSING THE ROLES
Water-holing in the phishing context became a tactic employed by attackers looking to
reach the more savvy breed of Internet users. Instead of trying to send an email to a
security-aware individual, attempting to bypass security implemented in-house and
reinventing the phish, water-holing is the simple maneuver of luring the victim out to
the field and getting him there.
A water-hole is thus a website or an online resource that is frequently visited by the
target-audience. Compromise that one resource, and you’ve got them all. Clearly fully
patched systems will still be rather immune and secured browsers that will not allow the
download of any file without express permission from the user will deflect the malware.
Water-holing has been a tactic that managed to compromise users by using an exploit
and infecting their machines with a RAT (remote administration tool). This is also the
suspected method of infection of servers used for the handling of payment-processing
data. Since regular browsing from such resources does not take place on daily basis, the
other possibility of a relatively wide campaign is to infect them through a resource they
do reach out to regularly.
Water-holing may require some resources for the initial compromise of the website that
will reap the rewards later, but these balance out considering the attacker does not need
to know the exact contacts/their email addresses/the type of content they will expect or
suspect before going after the targeted organization.
CONCLUSION
Although there is not much a phishing page can surprise with, one can’t forget that the
actual page is just the attack’s façade. Behind the credential-collecting interface lay
increasingly sophisticated kits that record user hits and coordinates, push them from one
site to the next, lure them to infection points after robbing their information and always
seeking the next best way to attack. According to recent RSA research into kits, changes in
the code’s makeup and phish tactics come from intent learning of human behavior
patterns by logging statistical information about users and then implementing that
knowledge into future campaigns.
page 3
4. 59406
60000
Phishing Attacks per Month
51906
49488
In January, RSA identified 30,151 attacks 50000
launched worldwide, a 2% increase in 41834
Source: RSA Anti-Fraud Command Center
attack volume from December. Considering 40000 37878
35558 35440
historical data, the overall trend in attack 33768
29974 29581 30151
numbers in an annual view shows slightly 30000
lower attack volumes through the first
21030
quarter of the year. 19141
20000
10000
0
Jan 12
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
350
314
303 298
288 290 291
300 281 281 284
269
259 257
Source: RSA Anti-Fraud Command Center
242
250
Number of Brands Attacked 200
In January, 291 brands were targeted in
150
phishing attacks, marking a 13% increase
from December. 100
50
0
Jan 12
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
page 4
5. 100
19% 3% 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15%
US Bank Types Attacked
11% 12% 9% 15%
U.S. nationwide banks continue to be the 80
13% 21% 30% 18% 15% 15% 14% 14% 15%
prime target for phishing campaigns –
Source: RSA Anti-Fraud Command Center
targeted by 70% of the total phishing volume
60
in January. Regional banks’ attack volume
remained steady at 15%, while attacks
against credit unions increased by 9%. 40
20
68% 76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70%
0
Jan 12
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
a Australia South Korea Canada China Germany UK
South Africa 3%
Canada 4%
India 4%
Top Countries by Attack Volume
The U.S. was targeted by phishing most in United Kingdom 10%
January – with 57% of total phishing
volume. The UK endured 10%, followed by
India and Canada with 4% of attack
volume respectively. U.S. 57%
43 Other Countries 22%
page 5
6. Italy 3%
a US S Africa China Italy Canada Netherlands India Bra
Brazil 3%
Canada 4%
40 Other Countries 37%
France 4%
Top Countries by Attacked Brands
Australia 4%
Brands in the U.S were most targeted in
January; 30% of phishing attacks were
India 4%
targeting U.S. organizations followed by
the UK that represented 11% of worldwide
brands attacked by phishers. Other
nations whose brands were most targeted United Kingdom 11%
include India, Australia, France and Brazil.
U.S. 30%
a US S Africa China Italy Colombia 3%
Canada Netherlands India B
United Kingdom 4%
Top Hosting Countries Germany 6%
In January, the U.S. remained the top
Canada 6%
hosting country, accounting for 52% of
global phishing attacks, followed by
Canada, Germany, the UK and Colombia
which together hosted about one-fifth of U.S. 52%
phishing attacks in January.
56 Other Countries 29%
page 6