• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Security
  • Bouncer, new phishing variant from RSA

Bouncer, new phishing variant from RSA

Pierluigi Paganini January 19, 2013

Despite simplicity of the schema phishing attacks have increased exponentially in the last years targeting every sector,both public and private. RSA’s October Online Fraud Report 2012 revealed a worrying scenario, phishing attacks increased up 19% over the second half of 2011, the total loss for various organizations has been estimated to $2.1 billion over the last 18 months.

“As we close out 2012, it’s safe to say that phishing has had yet another record year in attack volumes. The total number of phishing attacks launched in 2012 was 59% higher than the total calculated for 2011, up from 279,580 attacks to 445,004, costing the global economy over $1.5 billion dollars in fraud damages. According to RSA research, this amount is 22% higher than the losses recorded in 2011, part of the growing worldwide monetary losses associated with phishing attacks.” “Beyond rising attack numbers and the money they harvest, phishing kits are increasingly advancing on the technical level, written by malware authors and black hats. 2012 saw the popular use of kit plugins doing real-time credential validation; or reporting via web analytics tools the success of attack campaigns.”

Phishing attacks are exploiting new channels, such as social media and mobile, due the large diffusion of these platforms and the leak of proper security countermeasures. Security firm RSA has recently published a post in which cybercrime specialist Limor Kessem reveals a new scheme for phishing attack, dubbed Bouncer Phishing. The post reported that cyber criminals identify in unique way the targets, they assign to each victim an ID that is used during the scam campaigns, for each attack is composed a list of victims and only the IDs presents in the list are hit by the attack. The unique ID is automatically generated for each victim and for it is composed an unique web address to click on.

“the kit immediately generates an attack page, creating it on the very same hijacked website. The kit’s code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials.“

When the ID of  a victims is not include in the list of targets the link created will simply be presented with an harmless error page showing 404 error message. The expert Kessem said:

“And now we’re seeing the more unusual breeds: bouncer list phishing. It holds this moniker because much like many high-profile nighttime hotspots – if your name is not on the list, you’re staying out! After the kit collects victim credentials it sends them to yet another hijacked website (taken over using the exact same method of vulnerability exploit and web-shell), where the password-protected attack page lies in wait to steal user credentials.”

The approach could have serious consequence on the “detection procedure” implemented by the principal security firms, but which is the advantage of the techniques? The methods allow to the attackers to collect data only related to a specific groups of users, of course the techniques in less noisily respect classic phishing schema. The techniques is very efficient, let’s imagine an attack on a geographic region where a local shop propose exceptional discounts or where  is arranged a specific event, in that cases it is possible to address the victims selecting only ID of the users that live or work in the area, the most interested to information provided and so more exposed to social engineering attacks. Only most pertinent credentials from a restricted audience are collected by the attacks differently by traditional massive phishing campaign. RSA expert explained that each campaign targeted an average number of 3,000 recipients from a list containing a mix of users profiles (e.g. corporate addresses, bank employees) obtained with as aggregation of spam lists or data breach collections. Phishing techniques are evolving and they are showing increasing complexity and bouncer phishing is just the last innovation in this sense. The post of RSA also introduces a couple techniques to compromise website to use in the phishing attacks to host malicious code:

  • Preying on WordPress plugin zero-day vulnerabilities to compromise and hijack websites
  • Uploading a web-shell to hijacked sites, taking over and exploiting them as resources

You can bet that in the future new techniques will be studied and implemented by cyber criminals … and then security companies will try to remedy, as in a continuous play cops and robbers. In the meantime let’s do awareness … the only way to avoid the cyber threats is know them.

 

Pierluigi


facebook linkedin twitter

Bouncer Bouncer Phishing Cybercrime data breach mobile phishing RSA scam social media

you might also like

Pierluigi Paganini July 24, 2025
Coyote malware is first-ever malware abusing Windows UI Automation
Read more
Pierluigi Paganini July 24, 2025
SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Coyote malware is first-ever malware abusing Windows UI Automation

    Malware / July 24, 2025

    SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

    Security / July 24, 2025

    DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

    Security / July 24, 2025

    Stealth backdoor found in WordPress mu-Plugins folder

    Malware / July 24, 2025

    U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT