Q4 2016 Newsletter

FraudAction™ Anti-Fraud Services

Q4 2016 NEWSLETTER

TABLE OF CONTENTS

Introduction ...... 3

The Many Schemes and Techniques of Phishing ...... 4

The Tax Refund Ploy - Multi-branded Phishing ...... 4

Bulk Phishing Campaigns ...... 4

Random Folder Generators ...... 5

Local HTML Scheme ...... 6

BASE64 encoded Phishing in a URL ...... 7

Phishing with MITM capabilities ...... 7

Phishing Plus Mobile Malware in India ...... 10

Fast-Flux Phishing ...... 13

Additional Phishing Techniques ...... 14

Summary ...... 16

Malware Statistics ...... 17

Variants per Quarter ...... 17

Unique Trojan Communication Points - URLs per Quarter ...... 17

Global Distribution of Trojan Families ...... 18

Top Trojan-Hosting ISP ...... 18

Top Registrars of Trojan Domains ...... 19

Top Trojan-Hosting Countries ...... 19

Phishing Statistics ...... 20

Global Phishing Attack Volumes ...... 20

Top Countries Hosting Phishing ...... 21

Top ISPs Hosting Phishing ...... 21

Top Registrars Hosting Phishing ...... 22

In Case You Missed it...... 23

Threat Reports ...... 23

FraudAction Webinars You May Have Missed ...... 23

Note: Figures and statistics in this report are based on data collected by RSA’s Anti-Fraud Command Center (AFCC) in its 24x7x365 battle against phishing and cyber fraud.

INTRODUCTION In this issue of the FraudAction Quarterly Newsletter, our highlight story focuses on the oldest trick in the book: phishing. With over a decade of experience fighting phishing attacks at the AFCC, we provide an overview of phishing techniques through the years. Our quarterly global detection statistics are presented in Malware Variants and Phishing Attacks.

In Case You Missed It lists the reports that were sent out over the last six months, so that you can look up reports that you may have missed. We also have a roundup of FraudAction Webinars You May Have Missed.

Are you familiar with FraudAction Cyber Intelligence?

RSA FraudAction Cyber Intelligence (FACI) is a service that provides targeted research and reports on a wide range of cybercrime attacks that facilitate identity theft, emerging threats and fraud trends.

The FraudAction Cyber Intelligence team continuously observes cybercrime threat sources to gather intelligence and deliver it to your organization. Monitoring open-source and closed deep web sources, RSA diligently analyzes intelligence picked up by our sensors and reports it in a swift, easily consumable fashion. With years of experience in the intelligence space, RSA's researchers often directly engage with cybercriminals to uncover further information about specific methods of operation and reveal emerging attack tactics. FACI offers:

. Intelligence on a wide range of underground services that facilitate identity theft and cybercrime, identifying emerging threats and fraud trends. . Identifying cash out and cross-channel exploits targeting your organization(s) worldwide. . Uncovering mule accounts and items drops. . Revealing underground stores selling compromised online banking and payment card accounts. . Enabling coordination of sting operations to reveal infrastructure sources used by cybercriminals to launch attacks.

In the past quarter, FraudAction Cyber Intelligence has recovered over 1.5-million compromised credit cards, over 3.4-million compromised accounts in the underground, and 290 ‘mule’ bank accounts and item drop addresses.

Integrating intelligence feeds into Web Threat Detection (WTD) - our intelligence team has made great efforts to improve efficiency and visibility in the detection of a number of crucial fraud activities and indicators, providing them as automated monthly feeds. Now, the FraudAction Intelligence feeds can be easily integrated into the Web Threat Detection analysis server and drive enhanced detection of threats to your organization.

RSA FraudAction 360 offers a complete threat management service that provides proactive detection and mitigation of cyber threats such as phishing, Trojans and mobile rogue apps. Additionally, customers can gain deeper insight into emerging threats with intelligence reports and data feeds that provide deep visibility into the cybercrime underground. The service includes:

. Threat Detection and Alerts: Proactively preventing fraud attempts through early attack detection and real- time alerts identified via a broad partner network and active scanning of tens of millions of URLs. . Mitigation and Site Shutdown: Reducing the financial impact of cyber threats through rapid shutdown of infection points, command and control sites, and drop zones worldwide. . Forensics and Credential Recovery: Extensive forensic analysis provides organizations with additional intelligence insights including compromised personal information, email drop accounts, and specific IP information showing where an attack was launched. . FraudAction Blocking Network. Preventing and blocking access to identified phishing sites and malware infection, drop, and update points.

To keep up with the latest developments and discoveries, follow us on Twitter: @rsafraud and explore our new re-launched website: rsa.com/en-us/products-services/fraud-prevention

THE MANY SCHEMES AND TECHNIQUES OF PHISHING

THE TAX REFUND PLOY - MULTI-BRANDED PHISHING

One phishing scam that Phishers love to use is to bait victims with a supposed tax refund notification via email - pretending to come from an official government tax/revenue service in different countries. When victims follow the link, they see a phishing website that has the same look and feel of the legitimate revenue service site of their country, with a list of all the banks in that region. The victim is prompted to select their bank and enter personal information to receive a refund. This ploy enables fraudsters to steal data from customers at several banks at once and increase their fraud coverage.

BULK PHISHING CAMPAIGNS

Another popular trend is performing phishing campaigns in bulk form. This means that rather than deploying a single phishing website that is eventually sent to victims, fraudsters deploy them in bulk, and distribute URLs randomly among phishing emails. This tactic increases the phishing site’s lifespan and makes the detection and shutdown process a bit harder. Contrary to a usual phishing site where the scammers use one or two hijacked websites to deploy a phishing kit, the bulk scheme could encompass dozens of hijacked websites with several phishing directories on each one, resulting in hundreds of phishing websites. For example:

http://examplesite1.com/pathtobulkphish/qwsd21/phishing_site/login.html http://examplesite1.com/pathtobulkphish/wqpwow/phishing_site/login.html http://examplesite1.com/pathtobulkphish/ux78nj/phishing_site/login.html http://examplesite1.com/pathtobulkphish/adhwe1/phishing_site/login.html http://examplesite1.com/pathtobulkphish/hkj3k7/phishing_site/login.html http://examplesite1.com/pathtobulkphish/57askv/phishing_site/login.html http://examplesite1.com/pathtobulkphish/loinc2/phishing_site/login.html http://examplesite1.com/pathtobulkphish/4jvrgr/phishing_site/login.html http://examplesite1.com/pathtobulkphish/mnjnde/phishing_site/login.html http://examplesite1.com/pathtobulkphish/hm37lj/phishing_site/login.html http://examplesite1.com/pathtobulkphish/oxk2hl/phishing_site/login.html http://examplesite1.com/pathtobulkphish/1be0lv/phishing_site/login.html http://examplesite1.com/pathtobulkphish/cmq8wz/phishing_site/login.html . . . http://examplesite2.com/pathtobulkphish/qwsd21/phishing_site/login.html http://examplesite2.com/pathtobulkphish/wqpwow/phishing_site/login.html http://examplesite2.com/pathtobulkphish/ux78nj/phishing_site/login.html http://examplesite2.com/pathtobulkphish/adhwe1/phishing_site/login.html http://examplesite2.com/pathtobulkphish/hkj3k7/phishing_site/login.html . . . http://examplesite3.com/pathtobulkphish/qwsd21/phishing_site/login.html http://examplesite3.com/pathtobulkphish/wqpwow/phishing_site/login.html http://examplesite3.com/pathtobulkphish/ux78nj/phishing_site/login.html http://examplesite3.com/pathtobulkphish/adhwe1/phishing_site/login.html http://examplesite3.com/pathtobulkphish/hkj3k7/phishing_site/login.html . . .

Detecting one or two of these URLs and shutting them down can still leave other URLs online. The randomly generated folder names in these phishing URLs makes them much harder to detect. Needless to say, when fraudsters host the phishing attacks on domains that they bought, it complicates the handling of such attacks as there is little or no cooperation from domain registrants in trying to shut down phishing sites. On the other hand,

hijacked website registrants are often more willing to cooperate and cease the abuse of their websites. These phishing campaigns are often orchestrated by several threat actors.

RANDOM FOLDER GENERATORS

Some of the newer phishing kits have been observed to generate a new randomized phishing URI for each new victim accessing the primary phishing link. The victims receive a link (by email or another distribution method) the redirects them to a folder-generating script. Once the victim accesses the link, a fresh (URI) folder is generated on the fly, resulting in a ‘personal’ phishing site dedicated to this instance and this victim. The folders are usually named with a random sequence of characters, often using the IP address or email address of the victim. In some cases, the entire folder is deleted as soon as the victim completes entering all of the requested personal information, and the data is sent off to a phishing drop site or email address. Here is a generic example - the initial link in the phishing email looks like this:

http://somesite.net/folder1/folder2/index.php The PHP code in the snapshot below is an example of a random folder-generating script.

Random name

generating function

Randomize the name some more Logging every access in file including IP, date, and browser type

File copying function

Base directory - contents are copied from here

Copy the contents to generated folder and redirect to it

index.php is a PHP script that creates a random folder and copies all the required resource files from the phishing kit (html, js, css, images, etc.) to a newly created folder per victim access. In some cases, instead of a new folder, the index.php script extracts these files from a ZIP archive sitting in the ‘base’ directory of the phishing campaign, and deploys them as is, using the name of the archive folder.

Phishing email Victim follows a folder-generating URL

1) New randomly-named folder is generated Folder- 2) Required files are copied from base directory to generating script new folder 3) Victim is redirected to newly generated URL

Newly

generated Phishing site is presented to victim folder

This scheme is simple to operate, but it complicates detection and shutdown efforts much like other schemes described here. When one randomly deployed phishing URL is detected, it might be deleted in minutes, which can mislead security personnel into thinking that the site has been brought down. In actual fact, the site remains active and online, simply waiting for a new victim to access the initial link. In order to handle these cases effectively, it is crucial to detect and shutdown the ‘base’ directory (or archive) that contains initial phishing site and resources.

LOCAL HTML SCHEME

The phishing scheme that is commonly called ‘Local HTML’ involves an HTML file that is attached to an email message. Victims are prompted to open it and fill out their personal data. The phishing site contents are placed in a single HTML file (except for the data handling script and drop point URL that are incorporated in the form tag action attribute described earlier). The script can be hosted by an online form-handling service, or as a PHP script hosted on a hijacked website. In both cases, the data is usually sent to the fraudster’s drop email.

Below is a snapshot of Part of a Local HTML contents (form) with a remote drop point URL:

From a cyber-security perspective, it may be difficult to shut-down the site when the drop script is hosted on a hijacked website, as it doesn’t present any abusive content when it is viewed (a blank page is normally displayed), causing hosting facilities to think it is offline. On the other hand, online form services are more cooperative in shutting down fraudster accounts.

BASE64 ENCODED PHISHING IN A URL

Most major browsers today support a feature called data URI scheme. This feature enables encoding the webpage content with BASE64 encoding into a string seen in browser address bar. Fraudsters like using this encoding feature in the Local HTML phishing scheme, as well as in regular online hosted phishing. When hosted online, it helps scammers to conceal the main phishing URL. The data URI is injected into the address bar using the JavaScript’s window.location property or the HTML meta-refresh.

The screenshot below shows the data URI as it appears in address bar.

This is an example of the script for injecting the data URI into the browser address bar.

PHISHING WITH MITM CAPABILITIES

Phishing schemes with Man-In-The-Middle (MitM) capabilities are more sophisticated than most, and provide fraudsters with more accurate harvested credentials. Phishing with MITM means that while the victim is interacting with a phishing site, behind the scenes and not visible to the victim, the phishing site communicates with and performs actions on the legitimate site. This capability is implemented with PHP cURL module. The cURL is used to transfer data through various protocols including HTTP. To develop a script that imitates the user’s actions on a legitimate site, some reverse engineering is required on the part of the fraudster to understand which requests and data are forwarded to the legitimate site.

Below is a code sample illustrating the cURL object used for communicating with the legitimate online-banking site.

The script in the snapshot below is a cURL class used for communicating with the legitimate online banking site via an HTTP proxy (xxx.xxx.xxx.xxx:8080).

The config.php in the snapshot below contains the fraudster’s account used to receive the stolen funds transfer.

Another part of the phishing script, seen below, uses the cURL object to transfer funds from the victim’s account to the fraudster’s account ($cuenta_destino is defined in the config.php shown above)

The MITM phishing scheme offers a fraudster many advantages – the fraudster can:

. Login to the legitimate site to check the validity of stolen credentials . Browse the victim’s account after login to view the account balance . Grab additional personal information such as phone number, address, etc.

In addition, the MITM scheme can be used in combination with an HTTP proxy to hide the phishing site’s original IP address and use the desired country IP to match that of the victim’s locale. This results in a low profile in fraud monitoring system logs that flag suspicious activity if actions carried out on the legitimate site are detected as originating from a region other than the customer’s or the financial institution’s website locale. Moreover, there are cases where the phishing kit checked the victim’s account balance, and when it was higher than a given amount, it transferred the funds to a ‘mule’ account at the same bank through the legitimate site.

These kits/phishing sites are relatively rare as they require higher level coding skills and reverse engineering of the legitimate websites.

In the best case scenario, MITM phishing only steals valid credentials. In the worst case scenario, the funds in the account are transferred out almost instantly, making it a very serious threat in cyber-space.

PHISHING PLUS MOBILE MALWARE IN INDIA

Forensic analysts at RSA recently investigated a new phishing trend targeting banks in India. The Tax Refund scheme described earlier, that operates via a spoofed government revenue service site, was recently modified to include an SMS message sent to the victim’s phone at the end of the phishing process. The SMS contains a link that downloads and deploys a malicious APK (Android mobile malware archive).

Phishing •Victim clicks on redirection link email

•Victim is redirected to outer-frame URL •The redirecting source-code is obfuscated Redirection with Unescape •Redirecting code executes using data URI

•Communicates with SQL database to get inner-frame URL Outer-frame •Presents inner-frame hosted on URL different from outer-frame

Inner-frame •Randomly named folder is generated in (folder- random parent directory

genarator) •Victim is redirected to a new folder

•Victim is prompted to select a bank •Victim is prompted to enter personal data Phishing site including phone number •Compromised data is sent to remote drop URL

Victim •The link leads to URL for downloading receives malicious Andoid application short-URL •Once APK is installed, victim's data on link via SMS smartphone iscompromised

This new ploy makes use of a number of schemes and techniques described earlier, including a random folder generator, BASE64 data URI, tax-refund scheme, and more. The link provided in the phishing emails leads victims to a redirection URL (performed via the BASE64 data URI). That URL leads to an outer-frame site, using a script that communicates with a remote SQL database to retrieve the inner-frame URL. The snapshot below shows part of the outer-frame code – communicating with a remote SQL database.

The inner-frame phishing URL generates a random folder in a random parent directory, which is different from the usual folder-generators that create a new folder under the same path. The phishing site prompts the victims to choose their bank from a long list of Indian banks to begin the ‘tax-refund’ process. The image below shows the bank selection screen in the phishing site.

The kit uses a configuration file containing URLs for the resources needed by the phishing site:

. A URL to provide all of the images needed to spoof the legitimate site, instead of grabbing the images from the legitimate site which can trigger detection . A drop URL that receives and logs stolen data . A URL with the SMS sending script for the malicious APK . A short URL that is sent to victims . The last page file that victims see at the end of the phishing process

The code snapshot below is an example of the phishing site configuration file.

Once the victim finishes going through all the phishing pages, the folder is deleted. To add further spice to this scheme, upon entering their phone number in this site, the victim receives an SMS message with a link prompting the download of a malicious APK file (Android application) under the pretense of ‘mobile verification’.

The random URL generation where links are deleted and created per victim complicates detection and shut-down by cyber security services. The impact of this trend is beyond ‘regular’ phishing, since at the end of the process, the victim’s phone is infected by a malicious application. That mobile malware application keeps on stealing data from the phone long after the personal data has been phished via a simple phishing site. Since many banks today employ two-factor authentication using SMS messages for online banking, this malicious app can be even more harmful – allowing the fraudster control over the phone and the second channel for authentication.

FAST-FLUX PHISHING

One of the oldest and most sophisticated phishing schemes that RSA analysts have investigated are commonly called Fast-Flux phishing (also known as MS-Redirect, Rock-Phish, and O-late). These are usually phishing sites hosted on Fast-Flux networks – phishing attack domains that are hosted at multiple IP addresses that are randomly changed over a period of minutes. Therefore, in order to bring down these attacks, our analysts can only contact the registrars, as contacting the ISP/Hosting would not help to get to the root problem. Domains are often generated automatically in this scheme for the sole purpose of hosting phishing and malware. Each domain contained dozens of URLs targeting several entities, making campaigns very profitable for the scam authors.

Like any kind of Fast-Flux, the infrastructure (multiple IP addresses) is based on large botnets – many infected ‘zombie’ computers. It involves a DNS with short TTL of its records in order to achieve IP addresses randomization.

This scheme is not as common recently as it was in the past.

ADDITIONAL PHISHING TECHNIQUES

In addition to the more notable and prevalent phishing schemes we have described, there are a few more techniques that are available in the phishing arsenal that are not as well known, but are still out there and are worth noting.

Filtering by Geolocation and Email Address

Some phishing attacks are focused on victims with specific criteria, like geolocation. For instance, our analysts have witnessed phishing sites that validate their victims by comparing their email address with a long list of confirmed email addresses for a certain region that the fraudster obtained earlier. Some phishing emails are sent with email addresses embedded in the URL’s parameters to make sure that only the people who received the phishing email will be able to access the fraudulent site.

Make sure victim’s email address is set in “id” parameter, otherwise

phishing won’t be shown

Check whether the email is in the list

Check whether it is a returning victim Put it in ignore list to avoid access for second time

If it passed the test, redirect to phishing page

Collecting Statistics

Statistics collection is another popular feature fraudsters like to implement in their attacks. Sometimes, it is done using online services, but most of the time this feature is incorporates as part of a phishing kit. User information like screen resolution, IP address, language preferences in the browser, etc. allows fraudsters to mimic a victim’s online “fingerprint” to try and login to their online accounts, avoiding detection of online-security monitoring solutions deployed in legitimate websites.

The 419 Scam

The 419 (Nigerian) scam is one of the oldest fraud schemes on the internet. And surprisingly, enough people still fall victim to this simple and often humorous fictional cover story that purportedly offers to share millions of dollars with the victim, if only they first provide a small deposit to start the process… Now, in order to add greater believability or a trust factor to this scam, fraudsters developed sites that imitate online banking, where the victims are given a set of prepared account credentials to login. Usually, their name is displayed after they login, and they can see that there are thousands or millions of dollars in their account. Once they gain this little measure of the victim’s trust, the rest of the standard 419 scam can be played out more easily.

Smartphones Always At Our Side

We are now living in the ‘smartphone era’, where all sorts of tiny mobile devices with vast computing and communication abilities are always at our side – fraudsters take into consideration that victims are now more ‘attached’ to their email than ever before. Many of us check our messages much more frequently, especially if we have a notification sound set on our device. And accordingly, more and more fraudsters modify their phishing sites to accommodate mobile browsers. Therefore, despite the rising awareness of online fraud in the general population and the media, phishing remains one of the most dangerous cyber-threats.

SUMMARY

There is nothing complicated about setting up a phishing campaign. Phishing sites, like any website, require a hosting facility (domain, IP address, etc.) as well as a software ‘front-end’ and ‘back-end’ (HTML, PHP etc.). Anyone with a little knowledge in web-development can set up a phishing site without a hassle. Simple phishing sites are generally simple copies of legitimate customer login pages (front-end), where the action script (that handles the submitted information) is different from the legitimate one. Owing to this simplicity in the preparation process, phishing was, is, and will probably remain one of the most desirable scam techniques performed by fraudsters.

MALWARE STATISTICS

The following charts map out the global Trojan malware activity recorded by RSA over the last five quarters.

VARIANTS PER QUARTER

The graph below shows the count of unique banking Trojan variants detected by RSA over time.

665

488 436

295 272

Q4-15 Q1-16 Q2-16 Q3-16 Q4-16

UNIQUE TROJAN COMMUNICATION POINTS - URLS PER QUARTER

A count of communication points (URLs) used for infection, update or as drop points in Trojan attacks worldwide. Each Trojan attack may use multiple communication points, therefore, the number of unique Trojan-related communication points will always be significantly higher than the number of unique variants detected.

1,673 1,526

1,009

735

510

Q4-15 Q1-16 Q2-16 Q3-16 Q4-16

GLOBAL DISTRIBUTION OF TROJAN FAMILIES

The table below shows the distribution of various Trojan families responsible for attacks on entities worldwide in the reported quarter, as detected by the RSA Anti-Fraud Command Center (AFCC). Not surprisingly, ransomware took first place this quarter with banking malware falling behind in terms of attacks detected. Zeus and Zeus- based malware still led the banking malware charts.

Pony Stealer, 4%

Zeus, 13% Other, 2% Beta Bot, 1%

Mobile Malware, 1%

ISR Stealer, 19%

Citadel, 21% Ransom, 39%

TOP TROJAN-HOSTING ISP

The chart below shows a proportional view of the ISPs to have hosted the largest number of Trojan communication resources in Q3 2016.

Acelerate, 2% Comcast, 2% ColoCrossing, 2% Amazon, 3%

Alibaba, 3%

Go Daddy, 3%

Bluehost / Unified Layer, 6% Others, 70% Radore / Istanbul DC / Sayfa.net, 8%

TOP REGISTRARS OF TROJAN DOMAINS

The chart below shows a proportional view of the registrars with which the largest numbers of Trojan communication domains were registered through Q3 2016. Trojan botmasters normally purchase one or more domains to host their communication resources.

Public Domain Registry, Key-Systems, 2% Hichina, 2% 4% eNom, 2% Tucows, 2% Now.cn, 5% Onlinenic, 1% PakNIC, 1%

Others, 82%

TOP TROJAN-HOSTING COUNTRIES

The chart below shows a proportional view of the ISPs to have hosted the largest number of Trojan communication resources through Q3 2016

Turkey, 7% United States, 31% China, 5%

Germany, 5%

Russia, 4%

Canada, 3% United Kingdom, 2% Other, 40% Ukraine, 2%

Romania, 2%

PHISHING STATISTICS

In Q4 of 2016, RSA recorded a total of 284,367 Phishing attacks in the global market. This volume represents a 41% increase from the previous quarter, and is nearly double the volume of phish for the same time period last year. With the holiday season in mind, increases are not surprising at this time of the year.

516,702

284,367 240,520 201,082

144,694

Q4-15 Q1-16 Q2-16 Q3-16 Q4-16

GLOBAL PHISHING ATTACK VOLUMES

The US and Canada continue to lead the chart, with minor changes in the rest of the lineup. The UK made an appearance in this quarter suffering 3% of global attacks.

Netherlands, 4% Brazil, 3% Spain, 5% United Kingdom, 3% India, 6% France, 2% Others, 3% South Africa, 7%

Canada, 13%

United States, 54%

TOP COUNTRIES HOSTING PHISHING

The U.S. maintained the top position, hosting 57% of global Phishing attacks. Russia moved into 2nd place, followed by Germany that moved to 3rd place. The remaining countries’ ISPs hosted the other 15% of the world’s Phishing attacks.

Poland, 3% Brazil, 3% United Kingdom, 3% France, 3% Italy, 2% Turkey, 2%

Netherlands, 3% Canada, 1%

Germany, 4%

Other, 15%

Russia, 5%

United States, 57%

TOP ISPS HOSTING PHISHING

HostGator continued to rank first among the hosting ISPs, while GoDaddy slipped to 3rd. MainHosting that was ranked 5th last quarter moved into 2rd place. The remaining ISPs accounted for 54% of the global Phishing volume, each hosting 1% or less of the attacks.

Bluehost / Unified CloudFlare OVH France, 2% Avguro, 2% Layer, 2% , 2% Amazon, 3% TransIP, 1% Bit.ly Inc, 4%

Go Daddy, 5% Main Hosting / Hostinger / Hosting24, 6%

HostGator / Websitewelcome, 13%

Others, 59%

TOP REGISTRARS HOSTING PHISHING

Under hosting entities this quarter saw little change with Public Domain Registry, eNom, and Tucows ech maintaining their respective 1st, 2nd and 3rd places. The remaining registrars contributed the additional 53% of attack domain registrations.

TransIP, 2% Cronon AG, 2% Network Solutions, 2% Wild West Domains, Nic.ru, 2% FastDomain, 2% 4% Godaddy (Registrar only), 2%

Tucows, 7%

eNom, 10%

Public Domain Registry, 15%

Others, 53%