Categories: Cyber CrimeSecurity

Bouncer, new phishing variant from RSA

Despite simplicity of the schema phishing attacks have increased exponentially in the last years targeting every sector,both public and private. RSA’s October Online Fraud Report 2012 revealed a worrying scenario, phishing attacks increased up 19% over the second half of 2011, the total loss for various organizations has been estimated to $2.1 billion over the last 18 months.

“As we close out 2012, it’s safe to say that phishing has had yet another record year in attack volumes. The total number of phishing attacks launched in 2012 was 59% higher than the total calculated for 2011, up from 279,580 attacks to 445,004, costing the global economy over $1.5 billion dollars in fraud damages. According to RSA research, this amount is 22% higher than the losses recorded in 2011, part of the growing worldwide monetary losses associated with phishing attacks.” “Beyond rising attack numbers and the money they harvest, phishing kits are increasingly advancing on the technical level, written by malware authors and black hats. 2012 saw the popular use of kit plugins doing real-time credential validation; or reporting via web analytics tools the success of attack campaigns.”

Phishing attacks are exploiting new channels, such as social media and mobile, due the large diffusion of these platforms and the leak of proper security countermeasures. Security firm RSA has recently published a post in which cybercrime specialist Limor Kessem reveals a new scheme for phishing attack, dubbed Bouncer Phishing. The post reported that cyber criminals identify in unique way the targets, they assign to each victim an ID that is used during the scam campaigns, for each attack is composed a list of victims and only the IDs presents in the list are hit by the attack. The unique ID is automatically generated for each victim and for it is composed an unique web address to click on.

“the kit immediately generates an attack page, creating it on the very same hijacked website. The kit’s code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials.“

When the ID of  a victims is not include in the list of targets the link created will simply be presented with an harmless error page showing 404 error message. The expert Kessem said:

“And now we’re seeing the more unusual breeds: bouncer list phishing. It holds this moniker because much like many high-profile nighttime hotspots – if your name is not on the list, you’re staying out! After the kit collects victim credentials it sends them to yet another hijacked website (taken over using the exact same method of vulnerability exploit and web-shell), where the password-protected attack page lies in wait to steal user credentials.”

The approach could have serious consequence on the “detection procedure” implemented by the principal security firms, but which is the advantage of the techniques? The methods allow to the attackers to collect data only related to a specific groups of users, of course the techniques in less noisily respect classic phishing schema. The techniques is very efficient, let’s imagine an attack on a geographic region where a local shop propose exceptional discounts or where  is arranged a specific event, in that cases it is possible to address the victims selecting only ID of the users that live or work in the area, the most interested to information provided and so more exposed to social engineering attacks. Only most pertinent credentials from a restricted audience are collected by the attacks differently by traditional massive phishing campaign. RSA expert explained that each campaign targeted an average number of 3,000 recipients from a list containing a mix of users profiles (e.g. corporate addresses, bank employees) obtained with as aggregation of spam lists or data breach collections. Phishing techniques are evolving and they are showing increasing complexity and bouncer phishing is just the last innovation in this sense. The post of RSA also introduces a couple techniques to compromise website to use in the phishing attacks to host malicious code:

  • Preying on WordPress plugin zero-day vulnerabilities to compromise and hijack websites
  • Uploading a web-shell to hijacked sites, taking over and exploiting them as resources

You can bet that in the future new techniques will be studied and implemented by cyber criminals … and then security companies will try to remedy, as in a continuous play cops and robbers. In the meantime let’s do awareness … the only way to avoid the cyber threats is know them.

 

Pierluigi

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

3 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

14 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

24 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.