How To Get Rid Of A Phish Locker On A Computer (For A Bank)

Size: px

Start display at page:

Download "How To Get Rid Of A Phish Locker On A Computer (For A Bank)"

Brianna McDonald
3 years ago
Views:

1 PHISH LOCKERS OUT IN THE WILD August 2013 RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed Phish Lockers, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name. This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections. Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time. INSIDE THE PHISH LOCKING ROOM Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera. The first visible action that the user will see is the browser window being shut down, then the desktop s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page. FRAUD REPORT

This type of malware is not defined as a banking Trojan in the traditional sense.

2 The phish locker malware usually comes with a few hardcoded web forms, each requiring a relevant set of credentials from infected bank customers. Usually, the information requested by the malware corresponds with phishing attacks targeting the particular bank. For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user s mobile number. Figure 1: Phish locker s web form pop-up requesting credit card information When banking Trojans infect user machines, they are present on the device and can log a user s keystrokes and steal documents, certificates, cookies and other elements dictated by the botmaster. Banking malware regularly sends logs of stolen information to its operator, using predefined domains as communication resources. Phish lockers on the other hand, are not designed to carry out such complex activity and use basic methods to transmit stolen data such as . In order to facilitate sending s from the infected PC, the malware s author programmed it to use Extended SMTP, predefining a sender and a few recipients that will act as a fallback mechanism in case the data gets intercepted or the mailbox blocked/closed for some reason. Yet another differentiator that separates banking Trojans from phish lockers is the mode of activity. While banking malware steals and listens for data at all times when the browser is open, the locker closes the browser altogether, and then does the stealing. Once the information from the locker s web forms is sent, the malware remains inactive and does not carry out any other malicious activity on the PC, allowing the user to regain control. CONCLUSION It is rather interesting to see Trojans of this type, which are considered very basic when compared to most banking Trojans in the wild. It is even more interesting to see them appearing in geographies where banking security is considered to be very advanced. This phenomenon may be linked with the trend towards privatization of banking Trojans. This has created a barrier for many cybercriminals as they are denied access to purchase more advanced malware kits to launch attacks. This could be perhaps be pushing some cybercriminals to write and deploy simple malicious codes that will at least get their dirty work done. page 2

For example, if the bank uses out-of-band SMS for transaction verification, the form might have a request for the user s mobile number.

3 Phishing Attacks per Month RSA identified 45,232 phishing attacks launched worldwide in July, marking a 26% increase in attack volume in the last month Aug 12 Jul Feb 13 Jan 13 Dec 12 Nov 12 Oct 12 Sep Apr 13 Mar Jul 13 Jun 13 May 13 Source: RSA Anti-Fraud Command Center % 11% 9% 9% 12% 6% 8% 17% 8% 11% 11% US Bank Types Attacked National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month % 9% 14% 23% 12% 19% 13% 23% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73% 73% 76% 74% Source: RSA Anti-Fraud Command Center Jul 13 Jun 13 May 13 Apr 13 Mar 13 Feb 13 Jan 13 Dec 12 Nov 12 Oct 12 Sep 12 Aug 12 Jul 12 page 3

Source: RSA Anti-Fraud Command Center 100 11% 11% 9% 9% 12% 6% 8% 17% 8% 11% 11% US Bank Types Attacked National banks continue to be the most targeted by phishing within the U.S. banking sector with 74% of attacks in July while credit unions were targeted by one out of every ten attacks last month.

4 a Australia South Korea South Africa 3% Italy 3% Germany UK Top Countries by Attack Volume The U.S. remained the country most attacked by phishing in July, targeted by 58% of total phishing volume. Germany endured the second highest volume of phishing at 9%, followed by the UK at 8%. India, France,, South Africa and Italy were collectively targeted by of phishing volume. France 3% 3% India 3% United Kingdom 8% Germany 9% U.S. 58% 48 Other Countries 10% a US S Africa Italy 4% Netherlands India Brasil Top Countries by Attacked Brands U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks. Brands in the UK, India, Italy and together endured onequarter of phishing attack volume. Australia 5% India 6% Italy 4% 51 Other Countries 47% United Kingdom 11% U.S. 28% US S Africa France 3% Italy Netherlands 4% Netherlands India Brasil Top Hosting Countries The U.S. remained the top hosting country in July with 45% of global phishing attacks hosted within the country, followed by, Germany, and the UK. To date, RSA has worked with more than 15,300 hosting entities around the world to shut down cyber attacks. United Kingdom 4% Germany 5% 6% U.S. 45% 62 Other Countries 33% page 4

France 3% 3% India 3% United Kingdom 8% Germany 9% U.S. 58% 48 Other Countries 10% a US S Africa Italy 4% Netherlands India Brasil Top Countries by Attacked Brands U.S. brands were once again most affected by phishing in July, targeted by 28% of phishing attacks.

5 CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. AUG RPT 0813

BUGAT TROJAN JOINS THE MOBILE REVOLUTION

BUGAT TROJAN JOINS THE MOBILE REVOLUTION June 2013 RSA researchers analyzing Bugat Trojan attacks have recently learned that Bugat s developers managed to develop and deploy mobile malware designed to