F R A U D R E P O R T

HACKTIVISM AND THE CASE OF SOMETHING PHISHY

May 2013

While it is true that most cyber attacks orchestrated by hacktivists focus on DDoS

onslaughts targeting authority-type entities and banks, all too many times they add

a sting to the operation and hack into immense databases containing personal user

information.

On their quest for notoriety and media attention to make a statement, critics say that

hacktivists tend to cross the line when they publicly release untold amounts of data,

providing links to the trove and facilitating its free-for-all download.

Some hacktivists will call out every target on their list and post their threats publicly and

well in advance, while those targeted will prepare to fend off the attack and advise users

as needed. But at the end of the day, it is often the innocent online user that takes the

hardest hit when their information is leaked across the Internet.

HACKTIVISTS OUT, PHISHERMEN IN

In one of the largest hacks perpetrated in the name of hacktivist ideals, the end result,

beyond the damaged brand reputation of a multinational corporation, was a public leak

of account information belonging to nearly 25 million Sony Entertainment users. That was

about a third of a previous leak of over 70 million accounts, also inflicted by hackers

operating in the name of an opinion they formed and acted upon.

Taking the Sony case as just one example, because hacktivist cases such as these have

been increasingly plaguing the Internet, it is clear that the one party that did not expect

the hack – other than Sony, of course – were the millions of ordinary users whose data

was offered up freely thereafter. Those same users were also the ones who did not have

advisors, lawyers and information security experts to help them recover from the actual

and potential damages of the hack and its possible effects on their identities and

personal finances.

page 2

For fraudsters, the large-scale hacks are like candy. Hacktivists will set up publicly

available download links for anyone to be able to see the exposed databases,

their hunting trophy, and end their part there. But as soon as the links are public,

cybercriminals and fraudsters will access and download it before it is taken down

by the hosting authorities. By that time, the real damage to the end user is done.

Large hacks containing a database replete with email addresses, not to mention payment

cards or other financial data, are an attractive reward for phishers to come for and discuss

in underground communities. Instead of having to do their own hacking, collecting and

stealing, they can enjoy the spoils and bank on the “freshly” dumped data, compliments

of zealous hacktivists, paving a shortcut to a variety of fraud scenarios including:

– Monetizing gaming account credentials by selling them to other gamers

– Enjoying a list of valid email addresses to target with phishing spam

– Leading potential victims to phishing and malware sites and getting paid per install

– Harvesting financial information that can be sold to fraudsters and CC shops

– Using leaked and stolen data for fraud and identity theft

– Checking what other accounts a user has, because as recent research shows,

61% of accounts are set-up with passwords used on other consumer accounts.

It’s easy to see how an attack that stems from idealistic motivations, targeting very large

entities and supposedly conceived in order to protect people’s rights to information,

ends up serving the fraudsters and flooding the Internet with confidential data. With the

variety of actors that gain access to information publicly posted online, hacktivists end

up inadvertently damaging the very people whose interests they claim to represent.

CONCLUSION

The number of phishing attacks recorded monthly is known to vary, fluctuating upwards

and downwards, and there’s limited capability to forecast a trend that is so dependent on

fraudster resources. Although totals are often tricky to predict, some seasonal trends do

repeat every year such as the holiday shopping season when a rise in phishing is almost

expected. Adding to that list, we can include large database hacks that release the

information on millions of users into the wild. Phishing attacks in April 2013 have so far

only shown a moderate increase over the previous month, but with constant headlines

such as the recent announcement of over 40,000 Facebook accounts allegedly hacked,

we may just see a rise before the quarter is out.

page 3

Phishing Attacks per Month

In April, RSA identified 26,902 attacks

launched worldwide, marking a 10%

increase in attack volume from March.

Number of Brands Attacked

In April, 311 brands were targeted in

phishing attacks, marking a 20% increase

from last month. Of the 311 targeted

brands, 52% endured five attacks or less.

0

10000

20000

30000

40000

50000

60000

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

3555837878

51906

59406

49488

3544033768

41834

29581 3015127463

2434726902

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

0

50

100

150

200

250

300

350

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

288 298

259242

290

314

269284

257

291

257 260

311

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

page 4

Top Countries by Attack Volume

The U.S. remained the top country on the

chart, targeted with 46% of the total

phishing volume in April. The UK

accounted for 11% of the attack volume,

a 2% decline from March while South

Africa remained the same with 9% of

attack volume.

UKGermanyChinaCanadaSouth KoreaAustraliaa

United Kingdom 11%

U.S. 46%

India 8%

South Africa 9%

Canada 4%

Netherlands 4%

48 Other Countries 18%

US Bank Types Attacked

U.S. nationwide banks continued to be

targeted by the highest volume of phishing

attacks (73%) in April, while regional banks

saw a slight decline from 20% to 12%.

0

20

40

60

80

100

Sou

rce:

RSA

Ant

i-Fra

ud C

omm

and

Cent

er

7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15%

11%

18%

12%

15% 15% 14% 14%

9% 15%

15% 23% 23% 12%

82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73%

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

page 5

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUS

Top Countries by Attacked Brands

U.S. brands were targeted by 29% of total

phishing volume in April, followed by

brands in the UK at 10%. Brands in India,

Australia and Brazil were collectively

targeted by 15% of phishing volume.

Top Hosting Countries

The U.S. remained the top hosting country

in April, hosting 47% of global phishing

attacks (down 4%). Germany, Canada, the

Netherlands, UK and Russia together

hosted just over 20% of additional volume. U.S. 47%

61 Other Countries 32%

Germany 6%

Canada 5%

Russia 3%

Netherlands 3%

United Kingdom 4%

MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa

United Kingdom 10%

49 Other Countries 46%

U.S. 29%

Brazil 4%

India 7%

Australia 4%

www.emc.com/rsa

CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa

©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC

Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective

holders. MAY RPT 0513