F R A U D R E P O R T

PHISH LOCKERS OUT IN THE WILD

August 2013

RSA researchers have been increasingly witnessing the activity of highly targeted Trojans,

dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The

Trojans are deployed as a means to present online users with a phishing page that is

generated by malware, while locking the desktop, hence the name.

This type of malware is not defined as a banking Trojan in the traditional sense. It is basic

malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit

or otherwise able to actively monitor online activity, keylog or perform web injections.

Phish lockers were observed attacking banks in Latin America earlier this year, where

local pharming is a very common attack method. However, the lockers are now starting

to show up in new regions, attacking one or more banks at a time.

INSIDE THE PHISH LOCKING ROOM

Much like most banking Trojans, phish lockers are activated by trigger. When an infected

user logs into a website contained on the malware’s trigger list, the Trojan becomes

active. However, unlike banking Trojans, phish lockers don’t have a classic configuration

file. Most of the information is hardcoded into the malware and therefore cannot be

changed on the fly. The malware is compatible with all major browsers including Internet

Explorer, Firefox, Chrome, and Opera.

The first visible action that the user will see is the browser window being shut down, then

the desktop’s START button disappearing (a common occurrence with ransomware, for

example). Based on the URL initially typed into the browser, the Trojan will pop-up a

corresponding web form that looks exactly like legitimate web page, but is actually a

phishing page.

page 2

The phish locker malware usually comes with a few hardcoded web forms, each requiring

a relevant set of credentials from infected bank customers. Usually, the information

requested by the malware corresponds with phishing attacks targeting the particular

bank. For example, if the bank uses out-of-band SMS for transaction verification, the form

might have a request for the user’s mobile number.

When banking Trojans infect user machines, they

are present on the device and can log a user’s

keystrokes and steal documents, certificates,

cookies and other elements dictated by the

botmaster. Banking malware regularly sends logs

of stolen information to its operator, using pre-

defined domains as communication resources.

Phish lockers on the other hand, are not designed

to carry out such complex activity and use basic

methods to transmit stolen data such as email.

In order to facilitate sending emails from the

infected PC, the malware’s author programmed it

to use Extended SMTP, predefining a sender and a

few recipients that will act as a fallback

mechanism in case the data gets intercepted or

the mailbox blocked/closed for some reason.

Yet another differentiator that separates banking Trojans from phish lockers is the mode of

activity. While banking malware steals and listens for data at all times when the browser is

open, the locker closes the browser altogether, and then does the stealing. Once the

information from the locker’s web forms is sent, the malware remains inactive and does

not carry out any other malicious activity on the PC, allowing the user to regain control.

CONCLUSION

It is rather interesting to see Trojans of this type, which are considered very basic when

compared to most banking Trojans in the wild. It is even more interesting to see them

appearing in geographies where banking security is considered to be very advanced.

This phenomenon may be linked with the trend towards privatization of banking Trojans.

This has created a barrier for many cybercriminals as they are denied access to purchase

more advanced malware kits to launch attacks. This could be perhaps be pushing some

cybercriminals to write and deploy simple malicious codes that will at least get their dirty

work done.

Figure 1: Phish locker’s web form

pop-up requesting credit card

information

page 3

Phishing Attacks per Month

RSA identified 45,232 phishing attacks

launched worldwide in July, marking a

26% increase in attack volume in the

last month.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

59406

49488

3544033768

41834

29581 3015127463

2434726902

36966 35831

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

Jun 13

Jul 13

US Bank Types Attacked

National banks continue to be the most

targeted by phishing within the U.S.

banking sector with 74% of attacks in July

while credit unions were targeted by one

out of every ten attacks last month.

0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

11% 11% 9% 9% 12% 6% 15% 8% 17% 15% 8% 11% 11%

15%

15%

14%14%

9%15%

15% 23%

23%

12% 19% 13% 15%

74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73% 76% 74%

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

May 13

Jun 13

Jul 13

45232

page 4

Top Countries by Attack Volume

The U.S. remained the country most

attacked by phishing in July, targeted by

58% of total phishing volume. Germany

endured the second highest volume of

phishing at 9%, followed by the UK at 8%.

India, France, Canada, South Africa and

Italy were collectively targeted by 15% of

phishing volume.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 8%

U.S. 58%

Italy 3%

South Africa 3%

India 3%

Germany 9%

France 3%

Canada 3%

48 Other Countries 10%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS

Top Countries by Attacked Brands

U.S. brands were once again most affected

by phishing in July, targeted by 28% of

phishing attacks. Brands in the UK, India,

Italy and China together endured one-

quarter of phishing attack volume.

Top Hosting Countries

The U.S. remained the top hosting country

in July with 45% of global phishing attacks

hosted within the country, followed by

Canada, Germany, and the UK. To date,

RSA has worked with more than 15,300

hosting entities around the world to shut

down cyber attacks.

U.S. 45%

62 Other Countries 33%

Canada 6%

Netherlands 4%

France 3%

Germany 5%

United Kingdom 4%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 11%

51 Other Countries 47%

U.S. 28%

China 4%

Australia 5%

India 6%

Italy 4%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. AUG RPT 0813