page 1R S A M O N T H LY F R A U D R E P O R T

F R A U D R E P O R T

MO’ MONEY MO’ PROBLEMS

March 2014

Ever since the Liberty Reserve takedown in May of last year and the confiscation of all

accounts by law enforcement, fraudsters have been busy finding a solid currency to

which they can entrust their spoils without the risk of losing them in a bust. The obvious

choices were Perfect Money and BitCoin, but both currencies carry inherent risk. Perfect

Money is of questionable background, while BitCoin does not provide fraudsters the

required level of anonymity and is not immune to seizure. These risks have pushed the

underground to adopt—or really create—unique currency systems to help protect the

financial security of its dwellers.

In a recent on-going investigation, RSA’s Fraud Intelligence agents have identified and

have been tracking the growing adoption of forum-specific currencies. These financial

platforms allow users to safely transact within their own community, under the

supervision of the forum administrator, avoiding the use of the more public currency

options such as Perfect Money and BitCoin. In some instances different forums shared

the same currency further widening the use and adoption of these platforms.

MUSD

The MUSD currency is used in a single underground board, and has been active since

November 2013. Forum members can use the currency to purchase items/services from

each other, as well as pay for advertising on the board itself. The currency provides a

built-in escrow-service and guarantees anonymity. The forum administrator vouches for

the currency system and is responsible for all its operations.

One can exchange funds to or from MUSD through exchange agents. Two verified

exchange agent services currently work with MUSD in this board, with one offering to

cash out MUSD for hard currency in person at an office in Kiev, Ukraine. Exchange rates

are linked to the US dollar and are set at 1 MUSD = $1 USD.

page 2R S A M O N T H LY F R A U D R E P O R T

UNITED PAYMENT SYSTEM

The United Payment System currency appears to be shared by four different Russian

language forums, with each forum designating its own sub-currency with the forum’s

initials. For example, DM RUR and MM RUR (DM and MM are initials of forum names, and

“RUR” indicates Russian Ruble). Each forum has its own official exchange agent, and

each exchange agent has an administrator. To make sure the exchange agent stays

“honest”, a senior forum member is appointed to supervise and review the activities of

the exchange agent. Funds can be added or cashed out via the exchange agents with

cash out options including refilling different pre-paid cards.

The interesting thing about this currency is that it is shared across a number of forums

allowing members from different forums to transact.

UAPS

UAPS has been in use for over a year and is used with two of the most powerful boards in

the Russian-language cybercrime community and in fact is referred to as the ‘First

Commercial Bank’ on one of them. Of the three currencies discussed here, it appears to

be the most advanced and secure option for fraudsters, with ongoing improvements and

upgrades being implemented by a dedicated software team. Adding funds and cashing

out is available directly from the UAPS system.

The system emphasizes maintaining end-user security and privacy, implementing a strict

data retention policy of just two months.

CONCLUSION

The advent of new private financial systems and currencies in the Russian-language

cybercrime community is a trend indicating a stronger level of collaboration, cooperation

and sophistication amongst individual fraudsters and between fraudster boards in the

cybercrime world.

These new internal currencies are carefully administered and secured, ensuring a high

level of anonymity in transaction and hiding the user identities, making it more difficult

for law enforcement to trace, block, or seize funds and accounts.

Figure 1

MUSD exchange rates

Figure 2

United Payment System icon

Figure 3

UAPS currency system login screen

page 3R S A M O N T H LY F R A U D R E P O R T

Phishing Attacks per Month

RSA identified 36,883 phishing attacks in

February, marking a 21% increase from

January’s attack numbers. This also

represents a 35% increase from the

number of attacks a year ago.

US Bank Types Attacked

Nationwide banks continued to be the

most targeted by phishing with 68% of total

volume in February, and credit unions saw a

sharp spike in attacks – jumping from 16%

to 27% compared to January.

Top Countries by Attack Volume

The U.S. remained the most targeted

country in February with an overwhelming

77% of total phishing volume, followed by

the UK, South Africa, the Netherlands, and

Canada.

36,883 Attacks

Credit Unions

Regional

National

77%

5%

4%

3%

South Africa

Netherlands

UK

U.S.

MARCH 2014Source: RSA Anti-Fraud Command Center

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

Top Countries by Attacked Brands

In February, nearly 40% of phishing

attacks were targeted at brands in the U.S.

and UK. Brands in India, Canada and

Australia were collectively targeted by

15% of total phishing volume.

Top Hosting Countries

The U.S. hosted 34% of global phishing

attacks in February, followed by Canada,

Germany, France and Brazil.

©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. MAR RPT 0314

11%

U.S.

UK

27%

5% 4%6%

34%

GLOBAL PHISHING LOSSESFEBRUARY 2014