fraud report: rsa monthly online fraud report - march 2013
DESCRIPTION
The RSA monthly fraud report discusses the value of an email address to a cybercriminal and how email account takeovers can lead to identity theft.TRANSCRIPT
F R A U D R E P O R T
EMAIL ACCOUNT TAKEOVER TO IDENTITY TAKEOVER
March 2013
Phishing attacks are notorious for their potential harm to online banking and credit card
users who may fall prey to phishers looking to steal information from them. Compromised
credentials are then typically sold in the underground or used for actual fraud attempts
on that user’s bank/card account. Financial institutions have all too often been the most
targeted vertical with phishers setting their sights on monetary gain, followed by online
retailers and social networks.
Most understand the purpose of targeting financial institutions, but online retailers and
social networking sites? Why would a fraudster target them? In most cases, they use an
email address to authenticate their users’ identities, and they are not the only ones. Of
course the user is made to choose a password when opening any new online account,
but as research reveals, password reuse across multiple sites is a huge issue. A typical
user reuses the same password an average of six times, or the same password to access
six different accounts.
Phishing, Trojans And Email Access
Phishing campaigns have already been targeting webmail users for years now with
campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the
shape of OWA (Outlook Web Access) for business users.
Trojan operators followed suit and have not remained oblivious to the potential that lies
in gaining control over victim identities through their email accounts. In fact, almost all
Trojan configuration files contain triggers to webmail providers as well as to social
networking sites. This is designed with the purpose of getting access in order to gain
more information about potential victims in order to take over their online identities.
page 2
Since email accounts are an integral part of user identities online, they have also become
the pivotal access point for many types of accounts. When it comes to online retailers and
merchants, the email address is most often the username in the provider’s systems or
databases. When it comes to bank accounts, the customer’s email is where communications
and alerts are sent, and sometimes even serve as part of transaction verification.
Beyond the fact that email is part of customer identification and point of communication,
the compromise of that account by a cybercriminal can have more detrimental effects.
Email takeover may mean that a hostile third party will attempt, and sometimes succeed,
to reset the user’s account information and password for more than one web resource,
eventually gaining access to enough personal information to enable complete
impersonation of the victim.
Although some webmail providers use two-factor authentication for account password
resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it
simpler for criminals to access and sometimes attempt to reset access to accounts.
Fraudsters will typically probe the account for more information and sometimes lock it
(by changing the password) in order to prevent the genuine user from reading alerts
after a fraudulent transaction was processed on one of their accounts.
Email Access = Money?
Since email is a convenient way for service providers to communicate with untold
numbers of customers, online merchants will, in the name of ease of use, reset account
credentials via email. Hence, if a cybercriminal is in control of the email account, they will
also gain control over the user’s account with that merchant.
Spear Phishing
OWA phishing page designed to steal access credentials from business email users
page 3
From there, the road to e-commerce fraud shortens considerably, either using that
person’s financial information, or attaching a compromised credit card to that account
without ever having to log into their bank account in order to access their money, and in
that sense, email access equals money.
Another example is transportation companies, which are part of any online purchase and
those who provide shipping service to companies as well as governmental offices. They also
use email addresses as their users’ login identifiers and will reset the account via email.
A takeover of a user’s email account in this scenario will also mean takeover of that
person’s/business’ service account with the transport provider. For fraudsters, this type
of access translates into purchasing labels for their reshipping mules, charging
shipments to accounts that don’t belong to them, and providing an easier route to
reship stolen goods and even reroute existing orders.
Email Account Takeover And Online Banking
Email account takeover may appear benign at first sight, but in fact it is an insidious
threat to online banking users. The first issue with email account takeover (due to
credentials theft or a password reset), is that users re-use passwords. When fraudsters
steal a set of credentials, they will likely be able to use it to access additional accounts,
sometimes even an online banking account.
The second issue is that fraudsters will use victim email access for reconnaissance with
that person’s choice of financial services providers, bank account types, card statements
(paperless reports delivered via email), recent online purchases, alert types received from
the bank, contact lists (often including work-related addresses), social networking profile
and more.
How Risky Is Email Account Takeover?
Email account takeover can be a route to identity theft that only requires access to
perhaps the least secure part of the online identity used by financial and other
organizations and is perhaps one of the least evident elements that can become a
potential facilitator of online fraud scenarios.
Email addresses can serve as a “glue” that binds many parts of a person’s online identity,
connecting a number of different accounts that interlink. A typical online banking
customer may use a Gmail address with their bank account, use that same address for a
PayPal account, shop on eBay using that address, and receive their card statements at
that address from their card issuer. All too often, that address is also their Facebook
access email, where they have saved their phone number, stated where they work and
for how long, and mentioned a few hobbies.
CONCLUSION
Account hacks of this type happen all the time, and often make the headlines in the
media. In some cases, there are a few hundred potential victims while in others, there are
millions. The value of an email address to a cybercriminal should not be underestimated.
This element of an online identity must be treated with added caution by all service
providers that cater to consumers.
The line that crosses between ease of access and user experience always passes very
close to security redlines, but sometimes very slight modifications in the weight customer
email accounts can have on overall account access can turn a fraud attempt into a failed
fraud attempt.
page 4
Phishing Attacks per Month
In February, RSA identified 27,463
phishing attacks launched worldwide,
marking a 9% decrease from January.
The overall trend in attack numbers when
looking at it from an annual view shows
slightly lower attack volumes through the
first quarter of the year.
Number of Brands Attacked
In February, 257 brands were targeted in
phishing attacks, marking a 12% decrease
from January. Of the 257 targeted brands,
48% endured five attacks or less.
0
10000
20000
30000
40000
50000
60000
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
2103019141
3555837878
51906
59406
49488
3544033768
41834
29581 3015127463
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
0
50
100
150
200
250
300
350
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
281
303288 298
259242
290
314
269284
257
291
257
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
page 5
Top Countries by Attack Volume
The U.S. remained the country that
suffered a majority of attack volume in
February, absorbing 54% of the total
phishing volume. The UK, Canada, India,
and South Africa collectively absorbed
about one-quarter of total phishing
volume in February.
UKGermanyChinaCanadaSouth KoreaAustraliaa
United Kingdom 14%
U.S. 54%
South Africa 3%
Canada 5%
India 4%
41 Other Countries 20%
US Bank Types Attacked
U.S. nationwide bank brands were the prime
target for phishing campaigns – with 69% of
total phishing attacks – while regional banks
saw an 8% increase in phishing attacks in
February.
0
20
40
60
80
100
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
3% 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8%
21% 30%
11%
18%
12%
15% 15% 14% 14%
9% 15%
15% 23%
76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69%
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
page 6
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
Top Countries by Attacked Brands
In February, U.S brands were targeted by
30% of phishing volume – continuing to
remain the top country by attacked brands.
Brands in Brazil, Italy, India, Australia,
China and Canada were each respectively
targeted by 4% of phishing volume.
Top Hosting Countries
In February, the U.S. hosted 44% of global
phishing attacks (down 8%), while the UK
and Germany each hosted 5% of attacks.
Other top hosting countries in February
included Canada, Russia, Brazil and Chile. U.S. 44%
54 Other Countries 33%
Chile 3%
Germany 5%
Canada 4%
Russia 3%
Brazil 3%
United Kingdom 5%
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
United Kingdom 10%
38 Other Countries 37%
U.S. 30%
Brazil 4%
Italy 3%
India 3%
Canada 4%
China 4%
Australia 4%
www.emc.com/rsa
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa
©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. MAR RPT 0313