“Plug-and-Play” Phishing Kit
In early June, the RSA Anti Fraud Command Center (AFCC) discovered a new type of phishing kit. The kit is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files. The kit was discovered through phishing forensics work by the AFCC forensics lab.
Traditional phishing sites usually include various files which are installed on a compromised server where the attack is hosted. Typical files are PHP code files, HTML pages, images of the bank logo and cards, and so on. The files must be installed, one by one in the appropriate directories, on the server which is controlled by the phisher. The process is rather simple, and is not very time consuming, however it does mean that the phisher has to access the compromised server several times and install the files manually.
The new “plug-and-play” phishing kit recently uncovered by RSA reduces the time and effort required of the fraudster by automating the site installation process. The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is “live”. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.
Specifically, the kit contained a number of PHP and HTML files, which the AFCC has since traced in several phishing attacks, all targeting the same financial institution. The AFCC has already shut down the attacks as well as an e-mail address of the phisher which was discovered within the PHP code.
Potential for further automation of phishing attacks
By completely automating the process of phishing site installation, the “plug–and-play” phishing kit is yet another development in online fraud. RSA estimates that by using such kits, fraudsters will be able to further automate the process of hijacking servers and creating new phishing sites. Moreover, phishers who use the kit need only access the compromised server once, which decreases the risk of being identified by PC and network security systems.
In addition, there are several methods that exist today that enable online attackers to automatically search for vulnerable servers and upload files to them without actually hacking into the server. RSA estimates that the potential combination of these methods - tracing and compromising vulnerable servers, along with plug-and-play phishing kits - would significantly decrease the workload involved in creating and launching new attacks.
Mitigation of such attacks
The convenience of creating phishing attacks with the “plug-and-play” phishing kit has no impact on how these attacks are detected and mitigated. Once the attack is live and phishing emails are sent, the detection and shut-down efforts are exactly the same as in any other phishing attack. As noted above, RSA’s AFCC has shut down several instances of attacks built using the “plug-and-play” phishing kit utilizing the same effective shut-down process used for traditional phishing attacks.
1. Breakdown of Global Banking Brands Attacked by Phishing
Trend Analysis
The share of U.S. brands continues to be very dominant, making up 70% of all entities being phished. It is the 5th consecutive month in which UK institutions are in the #2 spot, with 9% of the phished entities. Generally, the top-6 positions in the list remained unchanged. Peru, The Netherlands and South Africa who joined the list in May still constitute the bottom part of the list.
2. Number of Brands Attacked Per Month
Trend Analysis
Contrary to the trend in April and May, the number of institutions coming under attack increased this month. In terms of targeted institutions, June 2007 is the 4th highest month in the past year. The RSA Anti Fraud Command Center identified attacks against 36 entities that it had not seen attacked before.
3. Segmentation of US Banking Brands Attacked by Phishing
Trend Analysis
After a temporary change in May, the percentage of attacked U.S. nationwide banks is back to its level from March and April 2007. The U.S. nationwide banks sector now forms 19% of financial institutions targeted. The FCU sector forms 39% of the attacked institutions, compared to 28% in April. The regional banks segment seems to have taken the load off of the nationwide banks, rising from 28% of the attacked institutions to 42%.
4. Top Hosting Countries
Trend Analysis
After the decrease we saw in March and April, the percentage of attacks hosted in the U.S. increased during May and slightly in June, with 59% of attacks in the top-10 hosting countries. This cannot be attributed to the activity of the Rock Phish group, since the group hosts most of its attacks outside of the U.S. China, which was in 2nd place in May with 13%, is not even in the list in June. Hong Kong, which was ranked 5th, is back in the 2nd position, the same position it occupied in April. The "core" countries such as Germany, the UK and Russia are still in the list, while Taiwan and Canada are newcomers.
R S S feed
