Phishing: The Privatization of Trojans RSA Researcher Details Evolution of Cross-Channel Attacks

Phishing schemes continue to evolve and grow, and they're increasingly targeting new channels, such as mobile, says Daniel Cohen, a researcher for security firm RSA.

Cohen says the online world is no closer than it was seven years ago to solving the phishing problem.

"We have to remember that phishing is the easiest attack to launch against end-users and we're going to see that continue through 2013 and 2014," says Cohen, who specializes in online fraud threats and cyber-intelligence, during an interview with Information Security Media Group [transcript below].

The latest phishing trends include the privatization of banking Trojans, attacks tailored toward mobile devices and cybercriminals turning to other industries to target, Cohen says. "In terms of the bad guys, they're opportunistic," he explains.

The Phishing Struggles

When it comes to defending against phishing attacks, most organizations struggle to keep up, Cohen says. Online security initiatives such as DMARC - the Domain-based Message Authentication, Reporting and Conformance initiative - are a step in the right direction, he adds. But until this protocol, which aims to standardize how e-mail receivers perform e-mail authentication, is widely adopted and becomes a uniform practice, it won't be effective (see DMARC: Taking a Bite Out of Phishing).

"Until that happens, we still have to continue with the user awareness, [and] be aware of the phishing threats out there," Cohen says. "We, as an industry, have to continue to protect and mitigate that threat."

During this interview, Cohen discusses:

  • How malware privatization is making Trojans more sophisticated and difficult to detect;
  • How phishing schemes are growing in certain global markets;
  • Why the financial industry is the most-often targeted by phishing attacks.

At RSA, Cohen serves as the head of business development for the Online Threats Managed Services division, where he researches emerging malware attacks as well as other online risks.

Phishing Trends

TRACY KITTEN: How are the phishing trends that RSA is seeing, as well as some of the mobile threats you're tracking, evolving?

DANIEL COHEN: In terms of phishing, 2012 was a landmark year, when phishing volumes were sky-high. Looking at 2013, the year has seen a slight decline in phishing. But comparing month-over-month - 2013 to 2012 - we do still see high numbers of phishing. In terms of the crime, phishing is going to continue. We have to remember that phishing is the easiest attack to launch against end-users, and we're going to see that continue through 2013 and 2014.

In terms of the mobile channel, we have to look at mobile as a device that basically keeps us connected 24/7. As such, we're more prone to attacks, because once we get that SMS, once we get that Facebook update or e-mail, we're immediately there following the link and hitting the phishing site. But we have to remember, at the end of the day, phishing is phishing is phishing, even when it hits the mobile device. And we're obviously working to detect that and mitigate that, too.

Trojan Evolution

KITTEN: What kind of evolution are you seeing in Trojans affiliated with some of these phishing attacks?

COHEN: Trojans are continuing to develop, and we have seen a move to what we're calling the privatization of Trojans. We're no longer seeing commercial Trojans available out there, such as the Citadel, Ice IX or SpyEye. That means, as a botmaster or a Trojan operator today, it's not easy for you to find a Trojan that's constantly developed and the bugs are fixed. There's no active R&D [research and development] behind these public Trojans.

Today, we're seeing Trojans becoming privatized in that the development, support and maintenance are done in very, very closed and controlled groups. Today, the bad guys have to rely on older Trojans, such as Zeus, which was made public back in 2011. But we're still seeing constant development, even in those private groups. Trojans are still slipping out and we're still detecting them.

One of the more interesting trends that we're seeing in terms of Trojan development is around the orchestrated attacks that cross the mobile and PC worlds. Today, a lot of banks will use a second factor, out-of-band authentication, SMS authentication, and the bad guys are trying to get around that. What they're doing is developing mobile counterparts, which they manage to get on your mobile device. These basically sniff your SMS stream. Then, any kind of authentication code that you get from the bank is picked up by this malware and forwarded to the bad guy so that he can complete the fraudulent transfer. We're seeing more and more of that.

We [recently] discovered that the Bugat Trojan is now also coming out with a mobile counterpart. Even there, we're seeing that the user logs into their bank account and the Trojan on the machine injects HTML screens, asking the end-user to now download software, because the bank is improving its security infrastructure. The end-user provides certain information, like the mobile-phone operating system and provides their telephone number. Then he or she gets an SMS to download the mobile software. And once they've downloaded and installed the software, their phone is now compromised. Any SMS coming from the bank is then picked up by the device. That's where we're seeing malware move into.

KITTEN: This type of compromise that incorporates mobile is something that you're watching, right?

COHEN: We're seeing this move into more manual-based, man-in-the-browser attacks, where the bad guys are there online as the user is logging into the bank, and they are picking up the SMS in order to complete the transfers. We're going to continue seeing this as the world becomes more and more mobile. Obviously, these opportunistic hackers are going to go after that world, too.


KITTEN: When it comes to fighting some of these attacks, what can the industry do?

COHEN: DMARC is a good protocol for securing e-mail, but, like we said, it has to be adopted more widely - trickle down from the larger e-mail hosts and providers out there to the smaller ones. Until that happens, we still have to continue with the user awareness and be aware of the phishing threats out there. Obviously, we, as an industry, have to continue to protect and mitigate that threat.

Targeted Sectors

KITTEN: What about the sectors that are most-often targeted? Financial services has been a targeted industry and will continue to be a targeted industry. But are there other sectors that are being hit more often now by some of these phishing attacks?

COHEN: We spotted phishing against the gaming industry, trying to phish your gaming credentials. We've seen phishing against pharmaceutical, healthcare, airlines. But in terms of the bad guys, they're opportunistic. They're looking for the quick money, the quick buck, and it's the quickest in the financial industry. Once they get your credentials, they can make money from just selling your credentials. Those credentials carry a nice value in the underground, so it's an easy and quick turnaround for them.

Global Market Variations

KITTEN: What about global market variations? Are certain parts of the world more targeted than others?

COHEN:In terms of the phishing market leaders for 2012, the U.K. would top the charts, followed by the U.S., Canada and South Africa. All were leaders in terms of the volumes of phishing. We do see emerging markets being affected, too. For example, Thailand this year jumped by over 250 percent in terms of phishing volume. India has jumped by over 150 percent. We see these variations around the globe. But, generally speaking, the U.K. and the U.S. have always been top targets.

Compromised U.S. Servers

KITTEN: Most of the phishing attacks that RSA has been tracking are actually coming from compromised servers located in the U.S. What's the reason for that?

COHEN: That's a good question, and certainly most of the phishing attacks are usually hosted on compromised websites. These could be websites that belong to a family outlet-type website that's using off-the-shelf web-server software. The bad guys look out for these hosts and they know they're easy to compromise. They leverage that.

... Almost 50 percent of the phishing attacks against APJ [Asia-Pacific-Japan] entities are hosted on U.S. hosting infrastructure. Of those, over 77 percent are hosted on hijacked servers. One of the reasons that could be behind that is the fact that there are just so many servers out there in the U.S. hosting different content, whether it's small business storefronts or family outlets, like we mentioned. The bad guys find them easily, compromise them easily and then use them as hosting infrastructure for their attacks.

Around the Network