Online fraud is evolving, reports IT security firm RSA.
Phishing and pharming represent one of the most sophisticated, organized and innovative technological crime waves faced by online businesses. Fraudsters have new tools at their disposal; and are able to adapt more rapidly than ever.
The RSA Anti-Fraud Command Center (AFCC) is a 24×7 war-room that detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks against more than 200 institutions worldwide. The AFCC has shut down over 42,000 phishing attacks and is a key industry source for information on phishing and emerging online threats. The following statistics have been gathered from the AFCC’s phishing repository. Each statistic includes a short analysis of the trends shown in the graphs based on the expertise of the fraud analysts in the command center.
Increase in the Amount of Free Man-in-the-Middle Phishing Kits Available in the Fraudster Underground
Phishing kits, both "regular" and of the Man-in-the-Middle (MITM) variety, are a well known commodity in the online fraudster forums. Creators of phishing kits sell them online to the phishers themselves, who in turn use them to launch attacks against financial institutions. It is also very common to see phishing kits which are offered at no charge in the forums or in separate dedicated web sites.
Kits which are available for free in the underground can usually be found in online repositories – sites dedicated to offering several kits that attack multiple targets, typically created by the same fraudster. Links to these repositories are usually provided by the author in IRC chat rooms and online fraudster forums. Most of these kits include what fraudsters call a "backdoor" – a string of code embedded into the kit which sends the phishing "results" – ie the stolen credentials – not only to the user of the kit, but also to the creator of the kit. This is the main reason why the creators of kits offer them for free and with such enthusiasm.
Websites that offer free phishing kits are not a novelty in the underground. They have been around for some time. However, recently RSA traced an interesting development in this area: The RSA FraudAction Intelligence team has noticed a rise in the number of repositories dedicated to providing free MITM kits. Looking at the kits themselves, RSA recently traced kits which target more than 10 of the world’s leading financial institutions.
Implications
MITM kits are now becoming more publicly available at no cost, which makes them an easily-obtained commodity by any fraudster, beginner or expert. Fraudsters can now access these repository sites, download a MITM kit, and launch an attack. Public availability of such kits may lead to an increase in the number of MITM phishing attacks.
The fact that these MITM kits are offered for free indicates that MITM attacks are now a common practice among fraudsters, and not something unusual (as was the case six to 12 months ago). This is no great surprise, as it was expected that the more obstacles fraudsters face, such as strong authentication for online banking, the more they will be forced to innovate and pursue alternative methods. The growing adoption rate of MITM attacks is one of the advances in phishing methods and online threats that RSA says it has seen in the past year. The increase in MITM kits correlates with the increase in the discussions that the RSA FraudAction Intelligence team has monitored in the fraudster forums regarding MITM attacks – otherwise known as "curl attacks" in fraudster terminology.
Mitigation of attacks
According to RSA, its 24×7 Anti-Fraud Command Center handles MITM attacks in a similar fashion to the way it deals with "standard" phishing attacks – relying on a broad monitoring and detection network, its blocking network, as well as its experience in site shutdown. And, RSA adds, it can further identify, analyse and mitigate this specific type of attack via the RSA eFraudNetwork, the company’s cross-institution anti-fraud network, by using analytics in the RSA Risk Engine to further protect customers that are connected to the network.
Christopher Young, Vice President, Consumer and Access Solutions Group at RSA, recently commented on MITM attacks: "As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets. While these types of attacks are still considered ‘next generation’, we expect them to become more widespread over the course of the next 12 to 18 months."
Young added: "We are working with many organisations to ensure they are positioned to withstand whatever threats fraudsters may create. Some of these organizations have already deployed various layers of protection and others are in the process of strengthening their security."
