ACCOUNT TAKEOVER TO IDENTITY TAKEOVER

Transcription

1 ACCOUNT TAKEOVER TO IDENTITY TAKEOVER March 2013 Phishing attacks are notorious for their potential harm to online banking and credit card users who may fall prey to phishers looking to steal information from them. Compromised credentials are then typically sold in the underground or used for actual fraud attempts on that user s bank/card account. Financial institutions have all too often been the most targeted vertical with phishers setting their sights on monetary gain, followed by online retailers and social networks. Most understand the purpose of targeting financial institutions, but online retailers and social networking sites? Why would a fraudster target them? In most cases, they use an address to authenticate their users identities, and they are not the only ones. Of course the user is made to choose a password when opening any new online account, but as research reveals, password reuse across multiple sites is a huge issue. A typical user reuses the same password an average of six times, or the same password to access six different accounts. Phishing, Trojans And Access Phishing campaigns have already been targeting webmail users for years now with campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the shape of OWA (Outlook Web Access) for business users. Trojan operators followed suit and have not remained oblivious to the potential that lies in gaining control over victim identities through their accounts. In fact, almost all Trojan configuration files contain triggers to webmail providers as well as to social networking sites. This is designed with the purpose of getting access in order to gain more information about potential victims in order to take over their online identities. FRAUD REPORT

2 Spear Phishing OWA phishing page designed to steal access credentials from business users Since accounts are an integral part of user identities online, they have also become the pivotal access point for many types of accounts. When it comes to online retailers and merchants, the address is most often the username in the provider s systems or databases. When it comes to bank accounts, the customer s is where communications and alerts are sent, and sometimes even serve as part of transaction verification. Beyond the fact that is part of customer identification and point of communication, the compromise of that account by a cybercriminal can have more detrimental effects. takeover may mean that a hostile third party will attempt, and sometimes succeed, to reset the user s account information and password for more than one web resource, eventually gaining access to enough personal information to enable complete impersonation of the victim. Although some webmail providers use two-factor authentication for account password resets (such as Gmail s Authenticator), most don t, thereby inadvertently making it simpler for criminals to access and sometimes attempt to reset access to accounts. Fraudsters will typically probe the account for more information and sometimes lock it (by changing the password) in order to prevent the genuine user from reading alerts after a fraudulent transaction was processed on one of their accounts. Access = Money? Since is a convenient way for service providers to communicate with untold numbers of customers, online merchants will, in the name of ease of use, reset account credentials via . Hence, if a cybercriminal is in control of the account, they will also gain control over the user s account with that merchant. page 2

3 From there, the road to e-commerce fraud shortens considerably, either using that person s financial information, or attaching a compromised credit card to that account without ever having to log into their bank account in order to access their money, and in that sense, access equals money. Another example is transportation companies, which are part of any online purchase and those who provide shipping service to companies as well as governmental offices. They also use addresses as their users login identifiers and will reset the account via . A takeover of a user s account in this scenario will also mean takeover of that person s/business service account with the transport provider. For fraudsters, this type of access translates into purchasing labels for their reshipping mules, charging shipments to accounts that don t belong to them, and providing an easier route to reship stolen goods and even reroute existing orders. Account Takeover And Online Banking account takeover may appear benign at first sight, but in fact it is an insidious threat to online banking users. The first issue with account takeover (due to credentials theft or a password reset), is that users re-use passwords. When fraudsters steal a set of credentials, they will likely be able to use it to access additional accounts, sometimes even an online banking account. The second issue is that fraudsters will use victim access for reconnaissance with that person s choice of financial services providers, bank account types, card statements (paperless reports delivered via ), recent online purchases, alert types received from the bank, contact lists (often including work-related addresses), social networking profile and more. How Risky Is Account Takeover? account takeover can be a route to identity theft that only requires access to perhaps the least secure part of the online identity used by financial and other organizations and is perhaps one of the least evident elements that can become a potential facilitator of online fraud scenarios. addresses can serve as a glue that binds many parts of a person s online identity, connecting a number of different accounts that interlink. A typical online banking customer may use a Gmail address with their bank account, use that same address for a PayPal account, shop on ebay using that address, and receive their card statements at that address from their card issuer. All too often, that address is also their Facebook access , where they have saved their phone number, stated where they work and for how long, and mentioned a few hobbies. CONCLUSION Account hacks of this type happen all the time, and often make the headlines in the media. In some cases, there are a few hundred potential victims while in others, there are millions. The value of an address to a cybercriminal should not be underestimated. This element of an online identity must be treated with added caution by all service providers that cater to consumers. The line that crosses between ease of access and user experience always passes very close to security redlines, but sometimes very slight modifications in the weight customer accounts can have on overall account access can turn a fraud attempt into a failed fraud attempt. page 3

4 Phishing Attacks per Month In February, RSA identified 27,463 phishing attacks launched worldwide, marking a 9% decrease from January. The overall trend in attack numbers when looking at it from an annual view shows slightly lower attack volumes through the first quarter of the year Feb 12 Mar Apr May Jul 12 Jun Aug Nov 12 Oct 12 Sep Dec 12 Jan Feb 13 Source: RSA Anti-Fraud Command Center Number of Brands Attacked In February, 257 brands were targeted in phishing attacks, marking a 12% decrease from January. Of the 257 targeted brands, 48% endured five attacks or less Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb 13 Source: RSA Anti-Fraud Command Center page 4

5 US Bank Types Attacked U.S. nationwide bank brands were the prime target for phishing campaigns with 69% of total phishing attacks while regional banks saw an 8% increase in phishing attacks in February % 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 21% 30% 11% 18% 12% 15% 15% 14% 14% 9% 15% 15% 23% 76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% Source: RSA Anti-Fraud Command Center Feb 13 Jan 13 Dec 12 Nov 12 Oct 12 Sep 12 Aug 12 Jul 12 Jun 12 May 12 Apr 12 Mar 12 Feb 12 a Australia South Korea Canada China South Africa 3% Germany UK Top Countries by Attack Volume The U.S. remained the country that suffered a majority of attack volume in February, absorbing 54% of the total phishing volume. The UK, Canada, India, and South Africa collectively absorbed about one-quarter of total phishing volume in February. United Kingdom 14% Canada 5% India 4% U.S. 54% 41 Other Countries 20% page 5

6 a US S Africa China India 3% Italy 3% Italy Canada Netherlands India Bra Top Countries by Attacked Brands In February, U.S brands were targeted by 30% of phishing volume continuing to remain the top country by attacked brands. Brands in Brazil, Italy, India, Australia, China and Canada were each respectively targeted by 4% of phishing volume. China 4% Canada 4% Brazil 4% Australia 4% United Kingdom 10% 38 Other Countries 37% U.S. 30% a US S Africa China Brazil 3% Italy Chile 3% Canada Netherlands India B Russia 3% Top Hosting Countries Canada 4% In February, the U.S. hosted 44% of global Germany 5% phishing attacks (down 8%), while the UK and Germany each hosted 5% of attacks. United Kingdom 5% Other top hosting countries in February included Canada, Russia, Brazil and Chile. U.S. 44% 54 Other Countries 33% page 6

7 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. MAR RPT 0313