RSA identifies 'bouncer' phishing attack

Cyber crime

RSA identifies 'bouncer' phishing attack

Warwick Ashford

A phishing scam that behaves like a nightclub bouncer is among a new breed of phishing attacks that have reached record volumes, say security researchers.

Phishing attacks aimed at tricking people into sharing personal information were 59% higher in 2012 than the previous year at 445,000, according to researchers at RSA, the security division of EMC.

The researchers estimate that phishing attacks cost the global economy over $1.5bn in fraud damages, up 22% from 2011.

This rise in phishing attacks is linked to advances in phishing kits, according to Limor Kessem, cyber intelligence expert at RSA.

Such kits enable attackers to do sophisticated things like real-time credential validation, web analytics tools to report the success of attack campaigns and selective targeting.  

Targeted phishing attacks

One phishing attack has been dubbed “bouncer list phishing” because it acts just like a night club bouncer. “If your name is not on the list, you’re staying out,” Kessem wrote in a blog post.

The bouncer phishing kit targets a preset email list for each campaign. A user ID value is generated for the targeted recipients, sending them a unique url for access to the attack. 

Any outsider attempting to access the phishing page is redirected to a “404 page not found” error message.

“Unlike the usual IP-restricted entry that many older kits used, this is a true – depending on how you look at it – black hat whitelist,” Kessem wrote.

When victims access the phishing link, their name has to be on the list and their “D value is verified on-the-fly as soon as they attempt to browse to the url. 

For validated users, the kit generates an attack page designed to steal their credentials. Unlike traditional phishing attacks, this one is focused on collecting only credentials useful to the attacker.

“These kits, used to target corporate email recipients, can easily be used as part of spear phishing campaigns to gain a foothold for a looming APT-style attack,” wrote Kessem.

However, she said this peculiar approach is likely the work of a gang or a fraud service supplier supplying credentials to specific geographical regions and targets.

Kessem said most phishing kits are hijacking websites through vulnerable plugins used in many open source CMS-based sites and blog-type pages.

“Unfortunately, it is entirely up to the webmasters to become more aware of security and ensure that their websites don’t get exploited,” she said.


Image: Hemera/Thinkstock


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy