The RSA Monthly Online Fraud Report examines the latest trends in global phishing and cybercrime.
The month of August marks a much anticipated return to school for both parents and students, but it appears that the subject of education is just as popular in the cybercrime underground this time of year. RSA has observed an increased supply of cybercrime courses, lessons, counseling and tutoring offered to fraudsters in rather official-looking models, mimicking the activity of legitimate schooling
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Â
RSA Monthly Online Fraud Report - September 2013
1. page 1
F R A U D R E P O R T
NOW REGISTERING FOR
CLASSES AT CYBERCRIME U
September 2013
The month of August marks a much anticipated return to school for both parents and
students, but it appears that the subject of education is just as popular in the cybercrime
underground this time of year. RSA has observed an increased supply of cybercrime
courses, lessons, counseling and tutoring offered to fraudsters in rather official-looking
models, mimicking the activity of legitimate schooling.
SENIOR FRAUDSTERS OFFER SCHOOLING FOR NEWCOMERS
It has never been uncommon in the underground to see senior actors offer up advice to
newbies on how to commit fraud. More recently, seasoned criminals are even willing to
share more of their time and expertise to teach willing would-be criminals the ins and
outs of cybercrime â for a fee.
RSA has been seeing an increase in ads by established criminals advertising courses they
commonly carry out via Skype videoconferencing. To add value, âteachersâ are offering
interesting fraud courses, following those up with individual tutorials (Q&A sessions)
after students join their so-called schools.
Since Fraud-as-a-Service (FaaS) strives to resemble legitimate business models, fraudster
trade schools further offer âjob placementâ for graduates through their many underground
connections with other experienced criminals. Interestingly, some of the âteachersâ go
the extra mile and vouch for students who show âtalentâ so that they can join the
underground communities they would otherwise not be able to access.
2. page 2
Some cybercrime professors even enforce a rigid absentee policy:
ââ Students must give a 2 hour advanced notice if they cannot attend.
ââ Students who fail to notify ahead of time are fined 50% of the fee, and rescheduled for
the next class.
ââ Students who fail to pay absentee fees will forfeit the entire deposited fee.
The following section presents some examples of cybercrime schooling curriculums
exposed by RSA fraud analysts.
BEGINNERSâ CYBERCRIME CLASSES
The first level of course is designed for beginners, teaching the basics of online financial
fraud.
Cybercrime Course Curriculum:
The Business of Fraud Credit cards, debit cards, drop accounts, how all it works,
who are the clients, prices, risks.
Legal Aspects How to avoid being caught by the authorities.
What can be used against you in a court of law?
Building Your Business Where to find clients? How to build a top-notch fraud
service.
Transaction Security How to avoid getting scammed and shady escrow services.
Price per lecture 2,500 Rubles (about $75 USD)
COURSES IN CARD FRAUD
Criminals further offer the much in demand payment card fraud classes - one course per
payment card type.
Card Fraud Course Curriculum
The Business Drops, advertising, accomplices, chat rules and
conventions.
Legal Security Dealing with law enforcement: who is accountable for the
crime in organized groups, what can be collected as
evidence.
Building Your Business Invaluable tips that will help develop your service to top
level, and help acquire customers.
Security of Transactions Common patterns of rippers/ripping, how to identify
scams, how to use escrow services.
Price per lecture
Price per course
Both courses
2,500 Rubles (about $75 USD)
2,500 Rubles (about $75 USD)
4,000 Rubles (about $120 USD)
3. page 3
ANONYMITY AND SECURITY COURSE
Stressing the importance of avoiding detection and maintaining anonymity, this course
teaches a fraudster the art of avoiding detection, and how to erase digital âfingerprintsâ.
The tutoring vendor offers practical lessons in configuring a computer for complex
security and anonymity features. This course includes a theoretical and a practical
section, with a duration estimated at four hours.
Anonymity Course Curriculum:
Configuring and using
Anonymity tools
Antivirus and firewall, Windows security(ports and âholesâ),
virtual keyboards, shutting off browser logging, eliminat-
ing history/traces on the PC, applications for permanent
data removal, data encryption on the hard drive, Anony-
mizer applications, VPN â installation/configuration, using
SOCKS â where to buy them, hiding oneâs DNS server,
dedicated servers, TOR browsers, safe email mailboxes,
using disposable email, using a cryptic self-destruct flash
drive, creating cryptic self-destruct notes, extra advanced
topic â tools for remotely liquidating a hard drive.
Botnets Independent study (online document/site link provided)
Using Chat Channels Using ICQ, Skype, Jabber, registering Jabber on a safe
server, OTR/GPG encryption in a Jabber chat, passing a key
and chatting on a secure channel via Jabber
Legal Electronic evidence one might be leaving behind, and that
can be used against fraudsters by law enforcement.
Price per course 3,300 Rubles (about $99 USD)
$35 â additional charge for installing VPN
BECOME A MULE HERDER
Nowadays, money mules and item drop mules are the most crucial parts of the fraud
supply chain, for nearly all fraud scenarios in which criminals need to move money or
goods. Mules are becoming increasingly scarce in the underground and mule herders
stand to increase their business profits if they can deliver active mules. In an interesting
cybercrime schooling offer, a vendor is offering to instruct newcomers on how to recruit
mules and open their own âbusinessâ as a mule herder.
Mule Herding Course Curriculum:
Theory section
(2-3 hrs)
Fundamentals â opening a mule-recruitment service, legal
and practical security measures, finding accomplices and
partners.
Practical section
(3-5 hrs)
Receive a prepared transaction to handle, and earn 10% on
this initial transaction (if one succeeds). If the student
fails, a second transaction will be offered, at a cost of 1,500
Rubles ($45 USD) and no percentage earned. Upon
successful completion of the test, fraudsters receive
official confirmation by public notice from the lecturer in
the community.
This part is only open to students who have completed the
theory section, and have set up the anonymity and security
tools, and have the additional tools required for the
transaction
4. page 4
ONE-ON-ONE TUTORIALS AND CONSULTATIONS
With a money-back guarantee promised to students, one crime school offers personal
one-on-one tutorials and problem solving sessions via Skype.
Special tutorial topics:
Banking and Credit Cards âBlack and whiteâ credit, fake documents, banking
algorithms and security measures (Russian Federation
only)
Debit Cards The finer details of working with debit cards and setting up
a service (Russian Federation only)
Registering and Using
Shell Corporations
Legal issues and practical problems in using shell
corporations for fraud (Russian Federation only)
Legal Liability Issues Your legal rights, practical advice on interaction with law
enforcement agencies, counseling services even while
under investigation (Russian Federation only)
Setting up Anonymity Practical help in setting up anonymity, and answers to
questions from the course (any country)
Price 2,000 Rubles (about $60) per hour
THE SCHOOL OF CARDING
Approaching the subject that is highest in demand in the underground, vendors have
opened schools for carding â teaching the different ways to use payment cards in fraud
scenarios. One vendor offers classes on a daily basis, at two levels of expertise, and
indicates that he gives his personal attention to each student. The vendor also assures
his students that his resources (compromised data) are fresh, personally tested by him,
and never before made available on any âpublicâ lists.
School of Carding - Basic Curriculum
Current Working BINs Credit card BIN numbers that have been verified as
successful in carding scenarios.
Websites for Clothing,
Electronics, etc.
Which merchants make the best targets for carding?
Tips and Tricks Extra insights from personal experience.
Price $25 USD
School of Carding - Advanced Curriculum
BINs and Banks Recommended BIN numbers that give best results in
carding.
Tested sites A list of tested ecommerce sites recommended for carding
clothing, electronic goods, and more.
5. page 5
Phishing Attacks per Month
RSA identified 33,861 phishing attacks
launched worldwide in August, marking
a 25% decrease in attack volume from
July. Based on this figure, it is estimated
phishing resulted in an estimated $266
million in losses to global organizations
in August.
0
10000
20000
30000
40000
50000
Source:RSAAnti-FraudCommandCenter
49488
35440
33768
41834
29581 30151
27463
24347
26902
36966
35831
45232
33861
Aug12
Sep12
Oct12
Nov12
Dec12
Jan13
Feb13
Mar13
Apr13
May13
Jun13
Jul13
Aug13
US Bank Types Attacked
U.S. nationwide banks remained the most
targeted with two out of three phishing
attacks targeted at that sector in August
while U.S. regional banks saw an 8%
increase in phishing attacks.
0
20
40
60
80
100
Source:RSAAnti-FraudCommandCenter
11% 9% 9% 12% 6% 15% 8% 17% 15% 8% 11% 11% 11%
15%
14%
14%
9%
15%
15% 23%
23%
12%
19% 13% 15% 23%
74% 77% 77% 79% 79% 70% 69% 60% 73% 73% 76% 74% 66%
Aug12
Sep12
Oct12
Nov12
Dec12
Jan13
Feb13
Mar13
Apr13
May13
Jun13
Jul13
Aug13
6. page 6
Top Countries by Attack Volume
The U.S. remained the most targeted
country in August with 50% of the total
phishing volume, followed by the UK,
Germany and India which collectively
accounted for approximately 30% of
phishing volume.
UKGermanyChinaCanadaSouth KoreaAustraliaa
United Kingdom 12%
U.S. 50%
Netherlands 3%
South Africa 3%
India 5%
Germany 11%
43 Other Countries 16%
BrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS
Top Countries by Attacked Brands
In August, 26% of phishing attacks were
targeted at brands in the U.S., followed
by the UK, Australia and India.
Top Hosting Countries
Four out of every ten phishing attacks were
hosted in the U.S. in August. Canada, the
Netherlands and the UK collectively hosted
25% of phishing attacks.
U.S. 40%
61 Other Countries 29%
Canada 14%
Germany 4%
Colombia 3%
United Kingdom 5%
Netherlands 5%
BrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
United Kingdom 11%
44 Other Countries 47%
U.S. 26%
Canada 4%
Australia 5%
India 7%