Financial Institutions Warned New Fast Phishing Kit Found
With the recently discovered â€œplug and playâ€ phishing kit, a relatively â€œnon-technicalâ€ person with the right information could launch a phishing attack against any financial institution. â€œThis new phishing kit reduces the barrier. No technical expertise is needed by the phisher, and it is far less risky as the remote host is only accessed once,â€ said Marc Gaffan, director of marketing with RSAâ€™s consumer solutions group.
The new â€œplug-and-playâ€ phishing kit reduces the time and effort required of the fraudster by automating the site installation process. The â€œkitâ€ is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site. Within seconds after running the file, a complete phishing site is â€œlive,â€ explained Gaffan.
â€œIf a regular person had that file in his hand, and had a server to launch it from, they would be able to launch an attack,â€ Gaffan said. He described this type of phishing kit as a house burglarâ€™s set of keys. â€œWhen you break into a house, you want to spend as little time as possible in the house,â€ he said. â€œThis allows the phishers to get in and out very quickly.â€
Gaffan noted when the RSA Anti Fraud Command Center (AFCC) found the new type of phishing kit they found it is actually a single file which creates an entire phishing site on a compromised server when â€œdouble-clickedâ€ on, similar to â€œ.exeâ€ installation files.
This is a change from traditional phishing sites that usually include various files which are installed on a compromised server where the attack is hosted. Typical files are PHP code files, HTML pages, images of the bank logo and cards, and so on, Gaffan said. The files must be installed, one by one in the appropriate directories, on the server which is controlled by the phisher. The process is rather simple, and is not very time consuming, however it does mean that the phisher has to access the compromised server several times and install the files manually.
Gaffan said this kit was used multiple times to attack the same financial institution. Does RSA expect more attacks like this? â€œItâ€™s too soon to tell. Itâ€™s difficult to see so far, with only a month from it first being discovered among the thousands of attacks each month. It will probably take a couple of months to see if it has an impact on the over all numbers of attacks,â€ Gaffan predicted. He added phishing, like any other technology, has an adoption and learning curve.
The handful of attacks used with this kit, Gaffan notes, is mostly probably from newcomers to the phishing scene. â€œRSA believes that because it is so easy, theyâ€™ll be trying it out on different sites,â€ he said. During testing of the kit in the RSA phishing lab, a phishing site was installed within approximately two seconds.
The convenience of creating phishing attacks with the â€œplug-and-playâ€ phishing kit has no impact on how these attacks are detected and mitigated. â€œOnce the attack is live and phishing emails are sent, the detection and shut-down efforts are exactly the same as in any other phishing attack,â€ Gaffan said. RSAâ€™s AFCC has shut down several instances of attacks built using the â€œplug-and-playâ€ phishing kit utilizing the same effective shut-down process used for traditional phishing attacks.
Gaffan noted that the threat of phishing doesnâ€™t hit the corporate side as much as a personal home computers, â€œEspecially if the PC is turned on and links to the Internet with a broad band connection.â€
Geographies with large numbers of broadband users, connected to Internet all of the time, have been targets of criminals who look to take over those machines. â€œThe overall number of vulnerable machines is high, because most people donâ€™t install a firewall, or anti-virus or anti-malware,â€ he said.
More bad news for financial institutions, in the RSA report that had the plug and play kit, it also noted that there were 36 new entities attacked in the month, and the majority of them were financial institutions. â€œThe others who were attacked, were payment oriented sites, or have access to customer credentials,â€ he noted.
The trends RSA sees in the type of bank or credit union being attacked, Gaffan noted is the further penetration to smaller, regional banks and credit unions. â€œLooking at these numbers, the absolute case in last two years, it was the nation wide banks, the top ten US bank, the phishers were attacking them in large numbers.â€
They are now targeting small credit unions, with smaller pools of members and getting a small percentage of bites, Gaffan explained. One reason for the phishers moving down the scale is that the larger institutions are better prepared for takedown and countermeasures.
Another type of phishing hitting regional banks and credit unions is â€œspear phishing,â€ Gaffan said. â€œLetâ€™s say a regional retailer database is hacked, and they only steal email addresses. Those email addresses can be used in a spear phishing attack against a local or regional bank. You as a phisher are counting that the people youâ€™re targeting do their banking locally. So the phishers will target phishing attack emails to the entire list.â€
The phisherâ€™s chance of getting a high hit rate is based on people feel more secure banking at a smaller institution, Gaffan explained. â€œThey will ask â€˜who would attack my email or target my little credit union that only has 11,000 members?â€™ Everyone knows that large banks have been targeted and phished and those account holders will be more wary, smaller institutionâ€™s customers are not as aware,â€ he added.
For further information:RSA June 2007 Report.