1.page 1R S A M O N T H LY F R A U D R E P O R T F R A U D R E P O R T MALWARE TOOLS FOR SALE ON THE OPEN WEB May 2014 RSA Research, while investigating a Zeus Trojan sample, discovered an additional drop server used by a fraudster who is offering a set of spyware tools for sale under the vendor names TampStore and Crown Softwares. The online store offers a number of software packages made up of sets of tools presented openly as legitimate spyware, with individual package icons in different colors for each of the products. These tools offer a number of features that may be illegal in many regions, and are commonly used by malware developers to steal data from infected PCs. The online store offers the following products: TampZusa stealer application for stealing information and images from browsers, email clients, keylogging, screen captures, webcam, and messenger clients TampStealer same as TampZusa, with a few extra bonuses added to the package (see feature list below) TampKelogger Classic a basic case-sensitive keylogger that can also record window titles TampKeylogger Premium a full featured keylogger that also includes all the features of the TampStealer TampSpammer a basic mass-mailer spamming application Of all the listed products, the TampStealer appears to be the most complete package of spyware tools. The following is a list of the features advertised in the online store.

2. page 2R S A M O N T H LY F R A U D R E P O R T TampStealer feature list: Case sensitive keylogger Print screen stealer (screen capture) Webcam stealer Browser password stealer Opera, Chrome, Firefox, Safari, Internet Explorer, Netscape Avira firewall bypass Mass email dispatcher Silent file downloaders Multi-client remote administration Send logs to FTP or PHP (PHP logger included in package) FileZilla stealer Stealer for the following email clients Outlook, Windows Mail, Eudora, IncrediMail, Netscape PidGin stealer (messenger client) Icon changer application, including an icon package The fraudster does not seem to be shy about advertising his wares on Facebook or exposing numerous email addresses for himself in various forums and public social networking sites. RSA has traced a number of entries posted by him in a Romanian computer hacker forum as well as advertising his availability for hire in a web programming forum. Upon further investigation of the administration panel and log files of the TampStealer application, RSA uncovered records of stolen login credentials. One log file from the TampStealer application, contained as many as 8,145 stolen login records (see Figure 1 below). 3. page 3R S A M O N T H LY F R A U D R E P O R T CONCLUSION Offering cybercrime software tools for sale is not new. However, advertising them out on the open web and social networking sites like Facebook is quite unusual. This particular software tool author does not seem to be afraid or concerned about exposing his software or his email addresses to the general public. Such behavior goes against the trend of pushing cybercriminal activity further underground as has been witnessed by RSA over the last two years. 4. page 4R S A M O N T H LY F R A U D R E P O R T Phishing Attacks per Month RSA identified 52,554 phishing attacks in April, marking a 24% increase from Marchs attack numbers. Based on this figure, RSA estimates phishing cost global organizations $448 million in losses in April. US Bank Types Attacked While nationwide banks continue to be the most targeted by phishing with 58% of total volume in April, regional banks have continued to see an increase in volume as well. Top Countries by Attack Volume The U.S. remained the most targeted country in April with an overwhelming 76% of global phishing volume, followed by the UK, the Netherlands, and South Africa. 52,554 Attacks Credit Unions Regional National 76% 4% 3% 3% Netherlands South Africa UK U.S. MAY 2014 Source: RSA Anti-Fraud Command Center 5. page 5R S A M O N T H LY F R A U D R E P O R T Top Countries by Attacked Brands Over 50% of phishing attacks in March were targeted at brands in the U.S., UK, India, Italy and Canada. Top Hosting Countries The U.S. hosted 34% of global phishing attacks in April, followed by Germany, the Netherlands, and Italy. Mobile Transactions and Fraud (Q1 14) In Q1, 33% of banking transactions originated in the mobile channel. Among total transactions, 2% of all identified fraud was from a mobile device. 9% U.S. UK 27% 5% 5%7% 34% GLOBAL PHISHING LOSSES APRIL 2014 2% 33% 2% $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ 33% 6. www.emc.com/rsa CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at www.emc.com/rsa 2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. MAY RPT 0314