MALWARE TOOLS FOR SALE ON THE OPEN WEB

Transcription

1 MALWARE TOOLS FOR SALE ON THE OPEN WEB May 2014 RSA Research, while investigating a Zeus Trojan sample, discovered an additional drop server used by a fraudster who is offering a set of spyware tools for sale under the vendor names TampStore and Crown Softwares. The online store offers a number of software packages made up of sets of tools presented openly as legitimate spyware, with individual package icons in different colors for each of the products. These tools offer a number of features that may be illegal in many regions, and are commonly used by malware developers to steal data from infected PCs. The online store offers the following products : TampZusa stealer application for stealing information and images from browsers, clients, keylogging, screen captures, webcam, and messenger clients TampStealer same as TampZusa, with a few extra bonuses added to the package (see feature list below) TampKelogger Classic a basic case-sensitive keylogger that can also record window titles TampKeylogger Premium a full featured keylogger that also includes all the features of the TampStealer TampSpammer a basic mass-mailer spamming application Of all the listed products, the TampStealer appears to be the most complete package of spyware tools. The following is a list of the features advertised in the online store. FRAUD REPORT page 1

2 TampStealer feature list: Case sensitive keylogger Print screen stealer (screen capture) Webcam stealer Browser password stealer Opera, Chrome, Firefox, Safari, Internet Explorer, Netscape Avira firewall bypass Mass dispatcher Silent file downloaders Multi-client remote administration Send logs to FTP or PHP (PHP logger included in package) FileZilla stealer Stealer for the following clients Outlook, Windows Mail, Eudora, IncrediMail, Netscape PidGin stealer (messenger client) Icon changer application, including an icon package The fraudster does not seem to be shy about advertising his wares on Facebook or exposing numerous addresses for himself in various forums and public social networking sites. RSA has traced a number of entries posted by him in a Romanian computer hacker forum as well as advertising his availability for hire in a web programming forum. Upon further investigation of the administration panel and log files of the TampStealer application, RSA uncovered records of stolen login credentials. One log file from the TampStealer application, contained as many as 8,145 stolen login records (see Figure 1 below). page 2

3 CONCLUSION Offering cybercrime software tools for sale is not new. However, advertising them out on the open web and social networking sites like Facebook is quite unusual. This particular software tool author does not seem to be afraid or concerned about exposing his software or his addresses to the general public. Such behavior goes against the trend of pushing cybercriminal activity further underground as has been witnessed by RSA over the last two years. page 3

4 MAY 2014 Source: RSA Anti-Fraud Command Center Phishing Attacks per Month RSA identified 52,554 phishing attacks in April, marking a 24% increase from March s attack numbers. Based on this figure, RSA estimates phishing cost global organizations $448 million in losses in April. 52,554 Attacks US Bank Types Attacked While nationwide banks continue to be the most targeted by phishing with 58% of total volume in April, regional banks have continued to see an increase in volume as well. Credit Unions Regional National Top Countries by Attack Volume The U.S. remained the most targeted country in April with an overwhelming 76% of global phishing volume, followed by the UK, the Netherlands, and South Africa. 4% 3% UK Netherlands 76% U.S. 3% South Africa page 4

5 Top Countries by Attacked Brands Over 50% of phishing attacks in March were targeted at brands in the U.S., UK, India, Italy and Canada. 27% U.S. 9% UK Top Hosting Countries The U.S. hosted 34% of global phishing attacks in April, followed by Germany, the Netherlands, and Italy. 7% 34% 5% 5% GLOBAL PHISHING LOSSES APRIL % Mobile Transactions and Fraud (Q1 14) In Q1, 33% of banking transactions originated in the mobile $ $ $ channel. $ $ Among total transactions, 2% of all identified fraud was from a mobile device. $ $ $ 2% 33% 2% page 5

6 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. MAY RPT 0314