RSA identifies 'bouncer' phishing attack

A phishing scam that behaves like a nightclub bouncer is among a new breed of phishing attacks, say security researchers

A phishing scam that behaves like a nightclub bouncer is among a new breed of phishing attacks that have reached record volumes, say security researchers.

Phishing attacks aimed at tricking people into sharing personal information were 59% higher in 2012 than the previous year at 445,000, according to researchers at RSA, the security division of EMC.

The researchers estimate that phishing attacks cost the global economy over $1.5bn in fraud damages, up 22% from 2011.

This rise in phishing attacks is linked to advances in phishing kits, according to Limor Kessem, cyber intelligence expert at RSA.

Such kits enable attackers to do sophisticated things like real-time credential validation, web analytics tools to report the success of attack campaigns and selective targeting.  

Targeted phishing attacks

One phishing attack has been dubbed “bouncer list phishing” because it acts just like a night club bouncer. “If your name is not on the list, you’re staying out,” Kessem wrote in a blog post.

The bouncer phishing kit targets a preset email list for each campaign. A user ID value is generated for the targeted recipients, sending them a unique url for access to the attack. 

Read more about phishing

Any outsider attempting to access the phishing page is redirected to a “404 page not found” error message.

“Unlike the usual IP-restricted entry that many older kits used, this is a true – depending on how you look at it – black hat whitelist,” Kessem wrote.

When victims access the phishing link, their name has to be on the list and their “D value is verified on-the-fly as soon as they attempt to browse to the url. 

For validated users, the kit generates an attack page designed to steal their credentials. Unlike traditional phishing attacks, this one is focused on collecting only credentials useful to the attacker.

“These kits, used to target corporate email recipients, can easily be used as part of spear phishing campaigns to gain a foothold for a looming APT-style attack,” wrote Kessem.

However, she said this peculiar approach is likely the work of a gang or a fraud service supplier supplying credentials to specific geographical regions and targets.

Kessem said most phishing kits are hijacking websites through vulnerable plugins used in many open source CMS-based sites and blog-type pages.

“Unfortunately, it is entirely up to the webmasters to become more aware of security and ensure that their websites don’t get exploited,” she said.

Image: Hemera/Thinkstock

Read more on Hackers and cybercrime prevention