Financial Institutions Warned New Fast Phishing Kit Found

Financial Institutions Warned New Fast Phishing Kit Found

With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution. “This new phishing kit reduces the barrier. No technical expertise is needed by the phisher, and it is far less risky as the remote host is only accessed once,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group.

The new “plug-and-play” phishing kit reduces the time and effort required of the fraudster by automating the site installation process. The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is “live,” explained Gaffan.

“If a regular person had that file in his hand, and had a server to launch it from, they would be able to launch an attack,” Gaffan said. He described this type of phishing kit as a house burglar’s set of keys. “When you break into a house, you want to spend as little time as possible in the house,” he said. “This allows the phishers to get in and out very quickly.”

Gaffan noted when the RSA Anti Fraud Command Center (AFCC) found the new type of phishing kit they found it is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files.

This is a change from traditional phishing sites that usually include various files which are installed on a compromised server where the attack is hosted. Typical files are PHP code files, HTML pages, images of the bank logo and cards, and so on, Gaffan said. The files must be installed, one by one in the appropriate directories, on the server which is controlled by the phisher. The process is rather simple, and is not very time consuming, however it does mean that the phisher has to access the compromised server several times and install the files manually.

Gaffan said this kit was used multiple times to attack the same financial institution. Does RSA expect more attacks like this? “It’s too soon to tell. It’s difficult to see so far, with only a month from it first being discovered among the thousands of attacks each month. It will probably take a couple of months to see if it has an impact on the over all numbers of attacks,” Gaffan predicted. He added phishing, like any other technology, has an adoption and learning curve.

The handful of attacks used with this kit, Gaffan notes, is mostly probably from newcomers to the phishing scene. “RSA believes that because it is so easy, they’ll be trying it out on different sites,” he said. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.

The convenience of creating phishing attacks with the “plug-and-play” phishing kit has no impact on how these attacks are detected and mitigated. “Once the attack is live and phishing emails are sent, the detection and shut-down efforts are exactly the same as in any other phishing attack,” Gaffan said. RSA’s AFCC has shut down several instances of attacks built using the “plug-and-play” phishing kit utilizing the same effective shut-down process used for traditional phishing attacks.

Gaffan noted that the threat of phishing doesn’t hit the corporate side as much as a personal home computers, “Especially if the PC is turned on and links to the Internet with a broad band connection.”

Geographies with large numbers of broadband users, connected to Internet all of the time, have been targets of criminals who look to take over those machines. “The overall number of vulnerable machines is high, because most people don’t install a firewall, or anti-virus or anti-malware,” he said.

More bad news for financial institutions, in the RSA report that had the plug and play kit, it also noted that there were 36 new entities attacked in the month, and the majority of them were financial institutions. “The others who were attacked, were payment oriented sites, or have access to customer credentials,” he noted.

The trends RSA sees in the type of bank or credit union being attacked, Gaffan noted is the further penetration to smaller, regional banks and credit unions. “Looking at these numbers, the absolute case in last two years, it was the nation wide banks, the top ten US bank, the phishers were attacking them in large numbers.”

They are now targeting small credit unions, with smaller pools of members and getting a small percentage of bites, Gaffan explained. One reason for the phishers moving down the scale is that the larger institutions are better prepared for takedown and countermeasures.

Another type of phishing hitting regional banks and credit unions is “spear phishing,” Gaffan said. “Let’s say a regional retailer database is hacked, and they only steal email addresses. Those email addresses can be used in a spear phishing attack against a local or regional bank. You as a phisher are counting that the people you’re targeting do their banking locally. So the phishers will target phishing attack emails to the entire list.”

The phisher’s chance of getting a high hit rate is based on people feel more secure banking at a smaller institution, Gaffan explained. “They will ask ‘who would attack my email or target my little credit union that only has 11,000 members?’ Everyone knows that large banks have been targeted and phished and those account holders will be more wary, smaller institution’s customers are not as aware,” he added.

For further information:RSA June 2007 Report.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network