Laser Precision Phishing — Are You on the Bouncer’s List Today?

By Limor S Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

As we close out 2012, it’s safe to say that phishing has had yet another record year in attack volumes. The total number of phishing attacks launched in 2012 was 59% higher than the total calculated for 2011, up from 279,580 attacks to 445,004, costing the global economy over $1.5 billion dollars in fraud damages. According to RSA research, this amount is 22% higher than the losses recorded in 2011, part of the growing worldwide monetary losses associated with phishing attacks.

Beyond rising attack numbers and the money they harvest, phishing kits are increasingly advancing on the technical level, written by malware authors and black hats. 2012 saw the popular use of kit plugins doing real-time credential validation; or reporting via web analytics tools the success of attack campaigns. And now we’re seeing the more unusual breeds: bouncer list phishing. It holds this moniker because much like many high-profile nighttime hotspots – if your name is not on the list, you’re staying out!

The bouncer phishing kit targets a preset email list for each campaign.  A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack.  Here’s the interesting part – much like a night club’s bouncer list – any outsider attempting to access the phishing page is redirected to a “404 page not found” error message. Unlike the usual IP-restricted entry that many older kits used, this is a true—depending on how you look at it—black hat whitelist.

When victims access the phishing link, their name has to be on the list and their “ID” value is verified on-the-fly as soon as they attempt to browse to the URL.  After a scan of the “bouncer list”, unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for.

As for validated users (the less fortunate that are let in), the kit immediately generates an attack page, creating it on the very same hijacked website. The kit’s code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials.

After the kit collects victim credentials it sends them to yet another hijacked website (taken over using the exact same method of vulnerability exploit and web-shell), where the password-protected attack page lies in wait to steal user credentials.

Another thing that makes this different is that traditional phishers like to cast as wide of a net as possible, but with this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt take-downs of such attacks.

Each campaign targeted an average number of 3,000 recipients with lists composed in alphabetical order, typically one letter at a time (separate lists for emails that begin with “a”, “b” etc). The targeted were a mixed bag of webmail users, corporate addresses, and even some bank employees – which indicates that it was likely an aggregation of a few spam lists or data breach collections. Needless to say, these kits, used to target corporate email recipients, can easily be used as part of spear phishing campaigns to gain a foothold for a looming APT-style attack.

The peculiar approach is likely the work of a gang or a fraud service vendor supplying credentials to specific geographical regions and targets.

Modern-day phishing kits are written with increasing complexity and sophistication, authored by programmers who adapt the kits to the phisher’s needs. This new bouncer-list function is a perfect example of this trend. A couple of other popular kit components implemented in this case were:

  • Preying on WordPress plugin zero-day vulnerabilities to compromise and hijack websites
  • Uploading a web-shell to hijacked sites, taking over and exploiting them as resources

So, what can be done against this type of kit? Like the very large majority of phishing kits today, the websites are being hijacked because of vulnerable plugins used in many Opensource CMS-based sites and blog-type pages. Unfortunately, it is entirely up to the webmasters to become more aware of security and ensure that their websites don’t get exploited, thereby becoming part of this detrimental phenomenon.

With phishing attacks popping up like mushrooms and then quickly taken down, arriving at a 404 page for a reported phish could present a detection challenge for the industry. As we adapt and improve our detection systems, we are reminded that in the never-ending cat-and-mouse game, only the nimble will survive.


Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.

No Comments