The RSA Anti-Fraud Command Center (AFCC) is a 24x7 war-room that detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks against more than 200 institutions worldwide. The AFCC has shut down over 42,000 phishing attacks and is a key industry source for information on phishing and emerging online threats.
The following statistics have been gathered from the AFCC’s phishing repository. Each statistic includes a short analysis of the trends shown in the graphs based on the expertise of the fraud analysts in the command center.
Increase in the Amount of Free Man-in-the-Middle Phishing Kits Available in the Fraudster Underground
Phishing kits, both “regular” and of the Man-in-the-Middle (MITM) variety, are a well known commodity in the online fraudster forums. Creators of phishing kits sell them online to the phishers themselves, who in turn use them to launch attacks against financial institutions. It is also very common to see phishing kits which are offered at no charge in the forums or in separate dedicated web sites.
Kits which are available for free in the underground can usually be found in online repositories – sites dedicated to offering several kits that attack multiple targets, typically created by the same fraudster. Links to these repositories are usually provided by the author in IRC chat rooms and online fraudster forums. Most of these kits include what fraudsters call a "backdoor" – a string of code embedded into the kit which sends the phishing “results” – i.e. the stolen credentials - not only to the user of the kit, but also to the creator of the kit. This is the main reason why the creators of kits offer them for free and with such enthusiasm.
Web sites that offer free phishing kits are not a novelty in the underground. They have been around for some time. However, recently RSA traced an interesting development in this area: The RSA FraudAction Intelligence team has noticed a rise in the number of repositories dedicated to providing free MITM kits. Looking at the kits themselves, RSA recently traced kits which target more than 10 of the world’s leading financial institutions.
Implications of the Trend
MITM kits are now becoming more publicly available at no cost, which makes them an easily-obtained commodity by any fraudster, beginner or expert. Fraudsters can now access these repository sites, download a MITM kit, and launch an attack. Public availability of such kits may lead to an increase in the number of MITM phishing attacks.
The fact that these MITM kits are offered for free indicates that MITM attacks are now a common practice among fraudsters, and not something unusual (as was the case 6-12 months ago). This is no great surprise, as it was expected that the more obstacles fraudsters face, such as strong authentication for online banking, the more they will be forced to innovate and pursue alternative methods. The growing adoption rate of MITM attacks is just one of the advances in phishing methods and online threats that RSA has seen in the past year. The increase in MITM kits correlates with the increase in the discussions that the RSA FraudAction Intelligence team has monitored in the fraudster forums regarding MITM attacks – otherwise known as "curl attacks" in fraudster terminology.
Mitigation of such attacks
The RSA 24x7 Anti-Fraud Command Center handles MITM attacks in a similar fashion to the way it deals with “standard” phishing attacks – relying on a broad monitoring and detection network, its exclusive blocking network, as well as its experience in site shutdown. And, uniquely, RSA can further identify, analyze and mitigate this specific type of attack via the RSA eFraudNetwork, the company’s cross-institution anti-fraud network, by leveraging sophisticated analytics in the RSA Risk Engine to further protect customers that are connected to the network.
Christopher Young, Vice President, Consumer and Access Solutions Group at RSA, recently commented on MITM attacks:
“As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets. While these types of attacks are still considered ‘next generation’, we expect them to become more widespread over the course of the next 12-18 months.” Young added: “We are working with many organizations to ensure they are positioned to withstand whatever threats fraudsters may create. Some of these organizations have already deployed various layers of protection and others are in the process of strengthening their security.”
1. Breakdown of Global Banking Brands Attacked by Phishing
Trend Analysis
The share of U.S. brands continues to be very dominant, but decreased a little to 63% of all entities being phished. It is the 6th consecutive month in which UK institutions are in the #2 spot, with 12% of the phished entities. Generally, the top 5 positions in the list remained unchanged. Australia, New Zealand and Colombia are new to the list. South Africa who joined the list in May still appears in the lower part of the list.
2. Number of Brands Attacked Per Month
Trend Analysis
The number of institutions coming under attack increased again this month. In terms of targeted institutions, July 2007 is the 3rd highest month in the past year. The RSA Anti Fraud Command Center identified attacks against 15 institutions that it had not seen attacked before.
3. Segmentation of US Banking Brands Attacked by Phishing
Trend Analysis
The percentage of attacked U.S. nationwide banks was much higher in July compared to June. During 2007, this parameter has been relatively unstable. The U.S. nationwide banks portion now forms 28% of financial institutions targeted. The regional banks segment was the other sector that changed, dropping to 33% of the attacked institutions compared to 42% in June. The FCU sector remained unchanged and forms 39% of the attacked institutions.
4. Top Hosting Countries
Trend Analysis
The percentage of attacks hosted in the U.S. continued to rise during July, reaching 66% of attacks in the top-10 hosting countries. Hong Kong occupies the 2nd position for the second consecutive month, and also held this position in April. France, Germany, Canada, the UK and South Korea hosted attacks at a similar proportion to last month. The most interesting new entry to the list is Sao Tome Principe. This tiny West African island hosted several Rock Phish attacks and therefore made the list in July.
R S S feed
