Bouncer, new phishing variant from RSA

Pierluigi Paganini January 19, 2013

Despite simplicity of the schema phishing attacks have increased exponentially in the last years targeting every sector,both public and private. RSA’s October Online Fraud Report 2012 revealed a worrying scenario, phishing attacks increased up 19% over the second half of 2011, the total loss for various organizations has been estimated to $2.1 billion over the last 18 months.

“As we close out 2012, it’s safe to say that phishing has had yet another record year in attack volumes. The total number of phishing attacks launched in 2012 was 59% higher than the total calculated for 2011, up from 279,580 attacks to 445,004, costing the global economy over $1.5 billion dollars in fraud damages. According to RSA research, this amount is 22% higher than the losses recorded in 2011, part of the growing worldwide monetary losses associated with phishing attacks.” “Beyond rising attack numbers and the money they harvest, phishing kits are increasingly advancing on the technical level, written by malware authors and black hats. 2012 saw the popular use of kit plugins doing real-time credential validation; or reporting via web analytics tools the success of attack campaigns.”

Phishing attacks are exploiting new channels, such as social media and mobile, due the large diffusion of these platforms and the leak of proper security countermeasures. Security firm RSA has recently published a post in which cybercrime specialist Limor Kessem reveals a new scheme for phishing attack, dubbed Bouncer Phishing. The post reported that cyber criminals identify in unique way the targets, they assign to each victim an ID that is used during the scam campaigns, for each attack is composed a list of victims and only the IDs presents in the list are hit by the attack. The unique ID is automatically generated for each victim and for it is composed an unique web address to click on.

“the kit immediately generates an attack page, creating it on the very same hijacked website. The kit’s code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials.“

When the ID of  a victims is not include in the list of targets the link created will simply be presented with an harmless error page showing 404 error message. The expert Kessem said:

“And now we’re seeing the more unusual breeds: bouncer list phishing. It holds this moniker because much like many high-profile nighttime hotspots – if your name is not on the list, you’re staying out! After the kit collects victim credentials it sends them to yet another hijacked website (taken over using the exact same method of vulnerability exploit and web-shell), where the password-protected attack page lies in wait to steal user credentials.”

The approach could have serious consequence on the “detection procedure” implemented by the principal security firms, but which is the advantage of the techniques? The methods allow to the attackers to collect data only related to a specific groups of users, of course the techniques in less noisily respect classic phishing schema. The techniques is very efficient, let’s imagine an attack on a geographic region where a local shop propose exceptional discounts or where  is arranged a specific event, in that cases it is possible to address the victims selecting only ID of the users that live or work in the area, the most interested to information provided and so more exposed to social engineering attacks. Only most pertinent credentials from a restricted audience are collected by the attacks differently by traditional massive phishing campaign. RSA expert explained that each campaign targeted an average number of 3,000 recipients from a list containing a mix of users profiles (e.g. corporate addresses, bank employees) obtained with as aggregation of spam lists or data breach collections. Phishing techniques are evolving and they are showing increasing complexity and bouncer phishing is just the last innovation in this sense. The post of RSA also introduces a couple techniques to compromise website to use in the phishing attacks to host malicious code:

  • Preying on WordPress plugin zero-day vulnerabilities to compromise and hijack websites
  • Uploading a web-shell to hijacked sites, taking over and exploiting them as resources

You can bet that in the future new techniques will be studied and implemented by cyber criminals … and then security companies will try to remedy, as in a continuous play cops and robbers. In the meantime let’s do awareness … the only way to avoid the cyber threats is know them.



you might also like

leave a comment