Defending a Decade of Phishing and Cybercrime

With holiday shopping season in full swing, many of us are feeling just like the guy in the song, “The 12 Pains of Christmas.”  I have my own two personal pains with the holidays, and I am still deciding which one is more annoying: Elf on the Shelf, or, the mountain of phishing emails I have received since Black Friday.

Our Elf on the Shelf still hasn’t made his way out of a box, after packing him away before my family recently moved – so he has not had the chance to irritate me, yet.  However, countless phishers have already found their way into my personal inbox with promises of gift cards, cash, and expensive electronics. As it stands, I guess the phishers are winning in the “most annoying holiday pain” category.

The timing is ironic as RSA’s Anti-Fraud Command Center is celebrating a decade of operations.  The accomplishments of this team are plentiful, including over one million attacks shut down, identification of a new phishing attack every 30 seconds, and access to 97% of malicious sites blocked in less than 30 minutes.

To celebrate this milestone, our forensic analysts took a look back at some of the memorable phishing campaigns we have investigated, and assessed the techniques of more recent schemes.

The Set-Up

There is nothing complicated about setting up a phishing campaign these days. All you need is a domain, IP address, etc., as well as a software “front-end” and “back-end” HTML. Simple phishing sites are generally simple copies of legitimate customer login pages (front-end), where the action script (that handles the submitted information) is different from the legitimate one.

In the real world, phishing sites are commonly distributed in underground forums as “kits” packaged as archive files (ZIP, RAR) that contain all the resources needed to deploy a working phishing site. Fraudsters simply configure their drop emails in the relevant files of the kit. And, in a tacit, albeit indirect nod to “pyramid-like” Multi-Level Marketing (MLM) schemes, many of these kits contain hidden or obfuscated code that forwards the stolen data back to the kit’s author as well as to the end-user fraudster. So, for example, if 100 fraudsters use these ‘infected’ kits distributed by single kit author, he stands to harvest all the data stolen by 100 fraudsters, avoiding all the hard work of deploying the kit online 100 times himself.

From there, fraudsters commonly deploy these kits using a hacked website or by buying a site/domain. In the case of the former option, a fraudster either hacks it himself or buys it in underground forums/shops selling compromised sites. There, a vendor of that site provides the fraudster with a link to a ‘backdoor’ script that allows them to control and manage the site, uploading and deploying the phishing kit resource. In the case of the latter, when a fraudster has the phishing URL already deployed as a kit on a hijacked website, he distributes the phishing URLs via email messages or more recently, distributing them via social media platforms such as Facebook and Twitter.

The Score

While there is no formal “Hall of Fame” for fraudsters exploiting phishing campaigns to make money, the following details reflect select phishing schemes and techniques that have had lasting power over the past ten years:

The Tax Refund Ploy and Multi-branded Phishing

Phishers love to bait victims with a supposed tax refund notification via email — pretending to come from an official government revenue service (such as the IRS in USA, RBI in India, or HMRC in the UK). When victims follow the link, they see a phishing website that has the same look and feel of the legitimate revenue service site of their country with a list of all the banks in that region. The victim is prompted to select their bank and enter personal information to receive a refund. This ploy enables fraudsters to steal data from customers at several banks at once and increase their fraud coverage.

Bulk Phishing Campaigns

Another popular trend is performing phishing campaigns in bulk form. This means that rather than deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in bulk, and distribute URLs randomly among phishing emails. This tactic increases the phishing site’s lifespan and makes the detection and shutdown process a bit harder. Detecting one or two of these URLs and shutting them down can still leave other URLs online.

Phishing with MITM Capabilities

Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most, and provide fraudsters with more accurate harvested credentials. Phishing MITM means that while the victim is interacting with a phishing site, behind the scenes and not visible to the victim, the phishing site communicates with and performs actions on the legitimate site. Ultimately, MITM phishing can both steal valid credentials or, in a worst case scenario, funds are transferred out almost instantly.

Random Folder Generators

Some of the newer phishing kits generate a new randomized phishing URI for each new victim accessing the primary phishing link. The victims receive a link (by email or another distribution method) the redirects them to a folder-generating script. Once the victim accesses the link, a fresh (URI) folder is generated on the fly, resulting in a ‘personal’ phishing site dedicated to this instance and this victim.

A Decade of Evolution

When I took a look back at our phishing detection rates when we first started formally tracking numbers back in 2007, it was appalling to see how much phishing has actually grown.  While we tend to believe that the cybercrime landscape is only left to the most sophisticated of attacks, quite the opposite is true.  For example, in Q3 2007, RSA identified 26,480 phishing attacks.  Fast forward nearly a decade, and in Q3 2016, we detected 201,802 attacks –  which translates to a 660% increase!  That’s just one quarter to quarter comparison, but if I expanded the data set to include year over year comparisons, the number would likely be even higher.

While this large increase can certainly be attributed to over a decade worth of experience, expansive global detection partners, and enhanced automation of our anti-fraud operations, it would be unfair if RSA took all the credit.  Cybercriminals are still in the game, as evident in the sheer volume of phishing attacks we still see today.  If this were not the case, the industry would have eradicated this attack vector a long time ago.

To take a historical look at phishing, malware and other cyber threats over the past decade, I encourage you to download our free white paper or view our fraud timeline video.  How much has cybercrime evolved in the last decade?  You be the judge.

Leave a Reply

Your email address will not be published. Required fields are marked *

No Comments