F R A U D R E P O R T

EMAIL ACCOUNT TAKEOVER TO IDENTITY TAKEOVER

March 2013

Phishing attacks are notorious for their potential harm to online banking and credit card

users who may fall prey to phishers looking to steal information from them. Compromised

credentials are then typically sold in the underground or used for actual fraud attempts

on that user’s bank/card account. Financial institutions have all too often been the most

targeted vertical with phishers setting their sights on monetary gain, followed by online

retailers and social networks.

Most understand the purpose of targeting financial institutions, but online retailers and

social networking sites? Why would a fraudster target them? In most cases, they use an

email address to authenticate their users’ identities, and they are not the only ones. Of

course the user is made to choose a password when opening any new online account,

but as research reveals, password reuse across multiple sites is a huge issue. A typical

user reuses the same password an average of six times, or the same password to access

six different accounts.

Phishing, Trojans And Email Access

Phishing campaigns have already been targeting webmail users for years now with

campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the

shape of OWA (Outlook Web Access) for business users.

Trojan operators followed suit and have not remained oblivious to the potential that lies

in gaining control over victim identities through their email accounts. In fact, almost all

Trojan configuration files contain triggers to webmail providers as well as to social

networking sites. This is designed with the purpose of getting access in order to gain

more information about potential victims in order to take over their online identities.

page 2

Since email accounts are an integral part of user identities online, they have also become

the pivotal access point for many types of accounts. When it comes to online retailers and

merchants, the email address is most often the username in the provider’s systems or

databases. When it comes to bank accounts, the customer’s email is where communications

and alerts are sent, and sometimes even serve as part of transaction verification.

Beyond the fact that email is part of customer identification and point of communication,

the compromise of that account by a cybercriminal can have more detrimental effects.

Email takeover may mean that a hostile third party will attempt, and sometimes succeed,

to reset the user’s account information and password for more than one web resource,

eventually gaining access to enough personal information to enable complete

impersonation of the victim.

Although some webmail providers use two-factor authentication for account password

resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it

simpler for criminals to access and sometimes attempt to reset access to accounts.

Fraudsters will typically probe the account for more information and sometimes lock it

(by changing the password) in order to prevent the genuine user from reading alerts

after a fraudulent transaction was processed on one of their accounts.

Email Access = Money?

Since email is a convenient way for service providers to communicate with untold

numbers of customers, online merchants will, in the name of ease of use, reset account

credentials via email. Hence, if a cybercriminal is in control of the email account, they will

also gain control over the user’s account with that merchant.

Spear Phishing

OWA phishing page designed to steal access credentials from business email users

page 3

From there, the road to e-commerce fraud shortens considerably, either using that

person’s financial information, or attaching a compromised credit card to that account

without ever having to log into their bank account in order to access their money, and in

that sense, email access equals money.

Another example is transportation companies, which are part of any online purchase and

those who provide shipping service to companies as well as governmental offices. They also

use email addresses as their users’ login identifiers and will reset the account via email.

A takeover of a user’s email account in this scenario will also mean takeover of that

person’s/business’ service account with the transport provider. For fraudsters, this type

of access translates into purchasing labels for their reshipping mules, charging

shipments to accounts that don’t belong to them, and providing an easier route to

reship stolen goods and even reroute existing orders.

Email Account Takeover And Online Banking

Email account takeover may appear benign at first sight, but in fact it is an insidious

threat to online banking users. The first issue with email account takeover (due to

credentials theft or a password reset), is that users re-use passwords. When fraudsters

steal a set of credentials, they will likely be able to use it to access additional accounts,

sometimes even an online banking account.

The second issue is that fraudsters will use victim email access for reconnaissance with

that person’s choice of financial services providers, bank account types, card statements

(paperless reports delivered via email), recent online purchases, alert types received from

the bank, contact lists (often including work-related addresses), social networking profile

and more.

How Risky Is Email Account Takeover?

Email account takeover can be a route to identity theft that only requires access to

perhaps the least secure part of the online identity used by financial and other

organizations and is perhaps one of the least evident elements that can become a

potential facilitator of online fraud scenarios.

Email addresses can serve as a “glue” that binds many parts of a person’s online identity,

connecting a number of different accounts that interlink. A typical online banking

customer may use a Gmail address with their bank account, use that same address for a

PayPal account, shop on eBay using that address, and receive their card statements at

that address from their card issuer. All too often, that address is also their Facebook

access email, where they have saved their phone number, stated where they work and

for how long, and mentioned a few hobbies.

CONCLUSION

Account hacks of this type happen all the time, and often make the headlines in the

media. In some cases, there are a few hundred potential victims while in others, there are

millions. The value of an email address to a cybercriminal should not be underestimated.

This element of an online identity must be treated with added caution by all service

providers that cater to consumers.

The line that crosses between ease of access and user experience always passes very

close to security redlines, but sometimes very slight modifications in the weight customer

email accounts can have on overall account access can turn a fraud attempt into a failed

fraud attempt.

page 4

Phishing Attacks per Month

In February, RSA identified 27,463

phishing attacks launched worldwide,

marking a 9% decrease from January.

The overall trend in attack numbers when

looking at it from an annual view shows

slightly lower attack volumes through the

first quarter of the year.

Number of Brands Attacked

In February, 257 brands were targeted in

phishing attacks, marking a 12% decrease

from January. Of the 257 targeted brands,

48% endured five attacks or less.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

2103019141

3555837878

51906

59406

49488

3544033768

41834

29581 3015127463

Feb 12

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

0

50

100

150

200

250

300

350

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

281

303288 298

259242

290

314

269284

257

291

257

Feb 12

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

page 5

Top Countries by Attack Volume

The U.S. remained the country that

suffered a majority of attack volume in

February, absorbing 54% of the total

phishing volume. The UK, Canada, India,

and South Africa collectively absorbed

about one-quarter of total phishing

volume in February.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 14%

U.S. 54%

South Africa 3%

Canada 5%

India 4%

41 Other Countries 20%

US Bank Types Attacked

U.S. nationwide bank brands were the prime

target for phishing campaigns – with 69% of

total phishing attacks – while regional banks

saw an 8% increase in phishing attacks in

February.

0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

3% 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8%

21% 30%

11%

18%

12%

15% 15% 14% 14%

9% 15%

15% 23%

76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69%

Feb 12

Mar 12

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

page 6

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

Top Countries by Attacked Brands

In February, U.S brands were targeted by

30% of phishing volume – continuing to

remain the top country by attacked brands.

Brands in Brazil, Italy, India, Australia,

China and Canada were each respectively

targeted by 4% of phishing volume.

Top Hosting Countries

In February, the U.S. hosted 44% of global

phishing attacks (down 8%), while the UK

and Germany each hosted 5% of attacks.

Other top hosting countries in February

included Canada, Russia, Brazil and Chile. U.S. 44%

54 Other Countries 33%

Chile 3%

Germany 5%

Canada 4%

Russia 3%

Brazil 3%

United Kingdom 5%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 10%

38 Other Countries 37%

U.S. 30%

Brazil 4%

Italy 3%

India 3%

Canada 4%

China 4%

Australia 4%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. MAR RPT 0313