Security Watch | Matt Hines » Phishing toolkits rock on

January 16, 2008 | Comments: (0)

Phishing toolkits rock on

TAGS: Security

It seems that more creeps than ever before are hanging up their "gone phishing" signs and getting down to the business of setting out their electronic lures -- especially in the Philippines.

According to the latest research published by RSA, based on its observations during the month of December '07, a larger number of phishing attacks are showing up that appear to have been built using toolkits, the virtual "do it yourself" model for designing the threats.

Like the infamous "rock phishing" toolkit that first established the genre in 2005, RSA said that current users of the model are adopting some of the same methods used in the original, such the use of a single Web site with multiple DNS names to host blocks of different attacks aimed at customers of different businesses -- primarily banks.

However, the attacks have not crossed over the same networks that once accounted for rock phish activity, nor have they involved the use of the same signatures, illustrating that the efforts are likely being backed by an entirely different group of toolkit developers.

The threats themselves do not appear to be as virulent or effective as the original rock phishing-derived campaigns, but, the larger trend is that new toolkits are likely being developed and sold to a broader audience, RSA said.

Another rock phishing-like tactic being employed by the new crop of attackers is the use of proxy servers that serve as intermediaries between the scumbags and their prey. Used to deliver infections to people without establishing a direct line of communication between the attackers and their victims, the technique has traditionally proven useful for helping the phishers remain hidden.

But, unlike the original rock phishers, the newer iterations do not appear to have caught onto the use of so-called "fast flux" networks, RSA noted, saying that the groups have also yet begin utilizing botnets of hijacked proxy servers.

In an interesting geographic twist, the Philippines appear to have become a new hotspot for phishing activity. Overall, the number of U.S.-based phishing attacks has once again dropped -- despite accounting for the vast majority of the threats -- accounting for only 44 percent of the attacks during September.

Hong Kong (16 percent) and China (12 percent) remain in the number two and three spots respectively, but the Philippines accounted for 8 percent of the campaigns tracked by RSA during the month after never before appearing on the list. Much of the attacks emanating from the region also appear to have been developed using the new toolkits, the company said.

In terms of the brands that are being targeted by the phishing threats, U.S.-based financial services institutions -- accounting for a whopping 62 percent of the attacks -- topped the list, as they have for several years. U.K.-based companies (11 percent) stuck in the second spot for the 11th consecutive month. Spain (7 percent), which has moved up and down among the top countries whose brands are being attacked, occupied the third spot, followed by Italy, Australia and Canada (tied at 5 percent).

Overall, however, the sheer number of brands that are being assailed by phishers worldwide rose dramatically during the last month of 2007, perhaps related to attempts to cash in on increased consumer activity online. Of the 186 different financial institutions that RSA observed under attack during the month, 20 represented companies that the firm had not seen previously targeted.

In another new trend, the company said that customers of credit unions are being attacked on a more frequent basis, while campaigns aimed at customers of national banks have dropped.

While attacks on credit unions accounted for 45 percent of all monthly activity tracked by RSA, up from 33 percent in the previous month, phishing lures set for customers of national banks decreased significantly, falling from 44 percent in November '07 to only 26 percent during December.

"Online fraud is evolving. Phishing and pharming continue to serve as a major part of the innovative and technological crime wave faced by online businesses," RSA researchers wrote in their research note. "And with new, sophisticated tools at their disposal, fraudsters can adapt more rapidly than ever."

Posted by Matt Hines on January 16, 2008 09:24 AM

RATE THIS ARTICLE: