1. PHISHING KITS THE SAME WOLF, JUSTA DIFFERENT SHEEPS CLOTHINGFebruary 2013Phishing still stands as the top online threat impacting both consumers and thebusinesses that serve them online. In 2012, there was an average of over 37,000phishing attacks each month identified by RSA. The impact of phishing on the globaleconomy has been quite significant: RSA estimates that worldwide losses from phishingattacks cost more than $1.5 billion in 2012, and had the potential to reach over $2billion if the average uptime of phishing attacks had remained the same as 2011.This monthly highlight goes beyond the growing numbers recorded for phishing attacksand looks deeper into the evolution of attack tactics facilitating the sustained increasewitnessed over the last year.START LEGIT, THEN GO BADPhishing kits recently analyzed by RSA show another phish tactic increasingly used byphishers. Although this is not entirely new, it is interesting to see it implemented bymiscreants planning to evade email filtering security.The scheme includes a number of redirections from one website to another. What kitauthors typically do in such cases is exploit and take over one legitimate website,hijacking it but not making any changes to it. They will be using this site as a trampolineof sorts, making their victims reach it and then be bounced from there to a secondhijacked website: the actual phishing page.What good can this serve? Simple: the first site is purposely preserved as a clean siteso that phishers can send it as an unreported/unblocked URL to their victims, insideemails that would not appear suspicious to security filtering. The recipient will thenclick the link, get to the first (good) URL and be instantly redirected to the malicious one.FRAUD REPORT

2. Another similar example is reflected in time-delayed attacks again, not new, butincreasingly used by attackers. This variation uses the same clean site, sends the emailspam containing the good URL and stalls. The malicious content will only be loaded tothe hijacked site a day or two later. These are often weekend attacks, where the spam issent on a Sunday, clears the email systems, then the malicious content is available onMonday. The same scheme is used for spear phishing and Trojan infection campaigns.PHISH FRIDAYResearch into attack patterns proves that Fridays are a top choice for phishers to sendtargeted emails to employees spear phish Friday if you will. Why Friday? When it comesto phishing, phishers make it their business to know their targets as well as possible. Itstands to reason that employees may be a little less on guard on the last day of the week,clean their inbox from the weeks emails and browse the Internet more making themmore likely to check out a link they received via email that day.TYPO SQUATTING DOUBLE TIMETypo squatting is a common way for phishers to try and trick web users into believing theyare looking at a legitimate URL and not a look-alike evil twin. The basics of typo squattingis registering a website for phishing, choosing a domain name that is either very similar tothe original or visually misleading. The most common ways of doing this are: Switching letters, as in bnak or bnk for bank dding a letter at the end of the word or doubling in the wrong place, as in Montterrey A for Monterrey Swapping visually similar lettersPhishers are creative and may use different schemes to typo squat. This phish tactic canbe noticed by keen-eyed readers who actually pay close attention to the URL they areaccessing, however, for more individuals on a busy day, typo squatting can end with aninadvertent click on the wrong link. This is especially important today, since fake websiteslook better than ever and are that much harder to tell apart.Typo-squattingPhishing email leading to a Twitterreplica website registered by afraudster using typo-squatting page 2 3. A quick search engine search for domain iwltter.com immediately revealed that it wasregistered by someone in Shanghai and already reported for phishing.But the notion plays against phishers in other aspects. Typos are one of the oldest tell-tale signs of phishing. Youd think that by now phishers would have learned that theirspelling mistakes and clunky syntax impairs their success rates, but luckily, they havent.This could be in part due to the fact that many kit authors are not native English speakersBOUNCER PHISHING STRANGERS KEEP OUTAnother phish tactic analyzed by RSA in the recent month came in the shape of a kit thatselected its audience from a 3,000 strong pre-loaded list. It may sound like a long list,but is it very limiting in terms of exposure to the phishing attack itself.This case showed that phishers will use different ways to protect the existing campaigninfrastructure they created and make sure strangers, as in security and phish trackers,keep out of their hijacked hostage sites while they gather credentials and ship them outto an entirely different location on the web.WATER-HOLING REVERSING THE ROLESWater-holing in the phishing context became a tactic employed by attackers looking toreach the more savvy breed of Internet users. Instead of trying to send an email to asecurity-aware individual, attempting to bypass security implemented in-house andreinventing the phish, water-holing is the simple maneuver of luring the victim out tothe field and getting him there.A water-hole is thus a website or an online resource that is frequently visited by thetarget-audience. Compromise that one resource, and youve got them all. Clearly fullypatched systems will still be rather immune and secured browsers that will not allow thedownload of any file without express permission from the user will deflect the malware.Water-holing has been a tactic that managed to compromise users by using an exploitand infecting their machines with a RAT (remote administration tool). This is also thesuspected method of infection of servers used for the handling of payment-processingdata. Since regular browsing from such resources does not take place on daily basis, theother possibility of a relatively wide campaign is to infect them through a resource theydo reach out to regularly.Water-holing may require some resources for the initial compromise of the website thatwill reap the rewards later, but these balance out considering the attacker does not needto know the exact contacts/their email addresses/the type of content they will expect orsuspect before going after the targeted organization.CONCLUSIONAlthough there is not much a phishing page can surprise with, one cant forget that theactual page is just the attacks faade. Behind the credential-collecting interface layincreasingly sophisticated kits that record user hits and coordinates, push them from onesite to the next, lure them to infection points after robbing their information and alwaysseeking the next best way to attack. According to recent RSA research into kits, changes inthe codes makeup and phish tactics come from intent learning of human behaviorpatterns by logging statistical information about users and then implementing thatknowledge into future campaigns.page 3 4. 59406 60000Phishing Attacks per Month 51906 49488In January, RSA identified 30,151 attacks50000launched worldwide, a 2% increase in 41834Source: RSA Anti-Fraud Command Centerattack volume from December. Considering 40000 378783555835440historical data, the overall trend in attack3376829974 29581 30151numbers in an annual view shows slightly 30000lower attack volumes through the first21030quarter of the year.19141 20000 10000 0Jan 12Feb 12 Mar 12 Apr 12 May 12 Jun 12 Jul 12Aug 12 Sep 12 Oct 12Nov 12Dec 12Jan 13 350 314 303298288290 291 300 281 281 284 269259257Source: RSA Anti-Fraud Command Center242 250Number of Brands Attacked200In January, 291 brands were targeted in 150phishing attacks, marking a 13% increasefrom December. 100500 Jan 12 Feb 12 Mar 12Apr 12May 12Jun 12 Jul 12Aug 12Sep 12 Oct 12Nov 12 Dec 12 Jan 13page 4 5. 100 19%3% 12% 7%20%10%11% 11%9%9% 12%6% 15%US Bank Types Attacked 11%12%9% 15%U.S. nationwide banks continue to be the80 13%21%30% 18% 15% 15%14% 14%15%prime target for phishing campaigns Source: RSA Anti-Fraud Command Centertargeted by 70% of the total phishing volume60in January. Regional banks attack volumeremained steady at 15%, while attacksagainst credit unions increased by 9%.4020 68%76%58% 82% 62%78%74% 74%77% 77%79%79%70%0 Jan 12Feb 12 Mar 12 Apr 12 May 12Jun 12Jul 12 Aug 12Sep 12Oct 12 Nov 12Dec 12 Jan 13 a AustraliaSouth KoreaCanadaChinaGermanyUKSouth Africa 3%Canada 4%India 4%Top Countries by Attack VolumeThe U.S. was targeted by phishing most inUnited Kingdom 10%January with 57% of total phishingvolume. The UK endured 10%, followed byIndia and Canada with 4% of attackvolume respectively.U.S. 57% 43 Other Countries 22%page 5 6. Italy 3%a USS Africa ChinaItalyCanadaNetherlandsIndiaBraBrazil 3%Canada 4%40 Other Countries 37%France 4%Top Countries by Attacked BrandsAustralia 4%Brands in the U.S were most targeted inJanuary; 30% of phishing attacks were India 4%targeting U.S. organizations followed bythe UK that represented 11% of worldwidebrands attacked by phishers. Othernations whose brands were most targeted United Kingdom 11%include India, Australia, France and Brazil.U.S. 30%aUSS Africa ChinaItaly Colombia 3% Canada NetherlandsIndiaB United Kingdom 4%Top Hosting Countries Germany 6%In January, the U.S. remained the top Canada 6%hosting country, accounting for 52% ofglobal phishing attacks, followed byCanada, Germany, the UK and Colombiawhich together hosted about one-fifth ofU.S. 52%phishing attacks in January.56 Other Countries 29% page 6 7. CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at www.emc.com/rsa2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMCCorporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respectivewww.emc.com/rsa holders. FEB RPT 0213