Phishing Trends Report

Transcription

1 Phishing Trends Report Analysis of Online Financial Fraud Threats Second Quarter, 2009 For more information, please contact: Internet Identity and the Internet Identity logo are trademarks of Internet Identity. All other registered trademarks are property of their respecitve owners. Copyright 2009, Internet Identity. All rights reserved

2 HIGHLIGHTS Avalanche kit phish attacks account for 28% of all phishing o 16 new companies targeted with Avalanche kit o 8 of top 10 phishing targets victimized by Avalanche Phishing Activity increased 17% from April to June o Non Avalanche attack volume increased 22% from April 1 to June 30 o Avalanche attack volume increased 6% from April 1 to June 30 Top countries hosting phishing attacks (by IP address location) o US - 38% o Germany - 5% o Russia - 5% 18 of the top 50 attacked brands were non-us banks o PayPal still the number one target, but outpaced by top 10 banks o Commercial banking platforms are increasingly targeted Registrars that harden themselves against abuse see sharp reductions in volume o Policies and procedures enacted to suspend domain names within 24 hours of registration o Strengthened account sign-up and initial domain registration verification requirements Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 2

3 THE DOMINANT THREAT TACTIC: AVALANCHE Avalanche sites are the latest in mass-production phishing and malware distribution techniques. Phishing sites on Avalanche domains are targeting commercial banking platforms of over 30 financial institutions, major on-line services, and job search providers. Social engineered malware downloads are also being distributed from these same domains. These attacks involve fraudulent domain names, set up on fraudulent name servers, with the hosting locations of the sites constantly fluctuating ( Fast-Flux ). The Fast-Flux technique makes a mitigation effort more complex than calling the Internet Service Provider to get a site or IP blocked; in Fast-Flux attacks, the domain name itself must be suspended at the registrar or registry level. The Avalanche phish kit accounted for 28% of all phishing activity seen during Q2. Regardless of the current spam target, Avalanche domains are registered targeting over 30 companies, 16 of which joined the targeted group in Q2. Included in the group is malware from spam X-Files ~ The truth is out there? Who Killed Michael Jackson? Malware download attacks were also launched against Microsoft with a bogus Windows Update. Avalanche in Focus Each fraudulent domain contains unique phishing URL paths for several of over 30 targets in total Several fraudulent domains registered per day Targets commercial banking platforms, e-commerce providers, malware drops DNS set-ups are also fraudulent Fast-flux site hosting Spam barrages rotating between targets Cash-out attempts typically occur within 10 minutes of credential harvest At the end of Q2, a given Avalanche site supports 34 distinguishable standard paths in the URL. An Avalanche attack wave consists of many such domain names that appear almost identical next to each other, (e.g. 11fjfhi.com, 11fjfhj.com, 11fjfh1.com, 11fjfhl.com). These domains may denote a pattern by a criminal group that intends to confuse staff members at registrars, providers, and security firms. Interestingly, software systems are not at all flummoxed by this kind of subterfuge, and these domain name groupings become easy to single out for security analysts at registrars and registries who know what to look for and are actively looking. While only one or two brands are typically spammed at any one time during an Avalanche attack, the miscreants rotate back to older targets frequently. If an Avalanche domain remains active over a long period of time, spam for other targets may be sent using it. This makes it necessary to go after Avalanche domains even with a lack of current spam you can knock them down prior to an attack against your brand. The Avalanche attackers are also extremely good at cashing out accounts. They have detailed knowledge of commercial banking platforms, particularly treasury management systems and the ACH system. They are also performing successful real-time man-in-the-middle attacks that defeat two- Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 3

4 factor security tokens. Reports indicate that very serious losses are likely when you are targeted by this group. GEOGRAPHIC BREAKDOWN: WHERE PHISH LIVED Historically, approximately 40% of all worldwide phishing has been hosted in the United States. This trend held in the second quarter of 2009, with compromised webservers and fraudulent virtual hosting account setups in Germany, Russia, and Spain comprising the next largest block. The rate of Avalanche domain names set up with registrars in the U.S. has been as low as 9% of the total volume of Avalanche domains. Instead, they have been focusing on specific domain registrars in European countries, along with South Korea, Pakistan, India, Turkey, and Mexico. The criteria for choosing a registrar to victimize seem to depend on the registrar s account verification procedures and the responsiveness of its abuse department. DOMAIN REGISTRARS AND AVALANCHE The pattern seen with Avalanche involves targeting one to three providers for the bulk of an attack set, but also targeting a small number of other providers to test their suitability for future attacks. Once the provider(s) carrying the majority of the domain names starts to actively take down sites and implement other security procedures discussed below, Avalanche will move on to one or two of the previously tested providers, seemingly based on the results of their previous tests. To illustrate, on April 30, Avalanche registered domains with five different providers, among them were Enom and DomainTheNet (shown on Avalanche Provider Rotation graph below in orange and purple). Deactivation times directly impacted the subsequent attack set, as the sites that were registered through Enom for the test had a very short life May 4 and 5. Consequently, the next attack group on May 6 singled out DomainTheNet, the provider with slower anti-abuse practices. Enom was later targeted for a larger attack set of approximately 30 domains per day, along with all of the other providers tested for domain registrations. Many times a provider will be tested repeatedly or will not see an Avalanche domain for months, as was the case with Interdomain.es. They were first tested in January, but did not experience a wave of attacks until March 17, almost two months after their first test. Once a large-scale attack struck Interdomain, active site times dramatically increased and the attacks continued for over a month (see Interdomain below). One point is clear: with any provider, the faster Avalanche sites are taken down, the faster that provider exits the business of registering these malicious domains. Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 4

5 TARGETED INDUSTRIES Phishing and malware related attacks targeted 412 distinguishable brands during Q2. Of the top 50 attacked brands, which make up 93% of phishing for the quarter, 18 were non-us banks, making up 24% of phishing. Other notable phishing targets include Twitter, Facebook, Friendster, Hi5, PhotoBucket, Skype, the Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 5

6 IRS, and Match.com. Additionally, eight of the top 10, and over half of the top 50, most attacked brands are included in the Avalanche kit. The trend shows a decrease in the share of phishing for e-commerce and money transfer, as there has been a shift towards commercial banking platforms. Criminals have likely realized that there can be more money to steal from a small business account than a personal bank account or payment service account. Criminals have also identified new ways to move money from these accounts, primarily through ACH transfer often to bogus payroll set-ups that pay their money mules directly. However, phishing for personal credentials of e-commerce or money transfer sites are not declining, there is simply faster growth in other areas. As seen previously, phishing volume overall continues to increase. TOP LEVEL DOMAIN (TLD) TRENDS As usual, the.com TLD was used in nearly half of all phish. The beginning of Q2 saw.eu at 11%, but.net was observed at 18% in June with.eu dropping below 2% - largely attributable to Avalanche patterns. Other notable TLDs that have been vigilant against phishing, and therefore were little used by phishers, are.info,.biz, and.mobi. Avalanche phishing will often use the same secondary label but under different TLDs. It is common practice for them to register.com,.net,.org, and other cctlds for a domain. Restricted cctlds, which generally require documentation and proof of residency before granting registrations, have been successful in avoiding fraudulent registrations. Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 6

7 Front Line Report: Interdomain Beats Back the Avalanche by C. Sills, Anti-Phishing Operations Manager In March 2009 our team started working with Interdomain in Spain as the latest target for domain registrations by the Avalanche group. Our team reached out to them, explained how the Avalanche group attacks registrars, and offered to report the fraudulent domains in whatever method helped them best so that we could make the Avalanche move away as soon as possible. Unfortunately, the policies at Interdomain were not proving to be effective at suspending domains. As April began we continued high-level contacts with Interdomain about what needed to change in their policies in order to have domains suspended quicker. Usually these situations end in the registrar adding language to their Acceptable Use Policy about having the authority to disable a domain or an account if they determine fraudulent activity is taking place. Sometimes the policy change is for immediate suspension of a domain if false WHOIS data is provided (instead of following a much lengthier ICANN reporting procedure). Interdomain had a different plan though, one that we had not encountered before. They started requiring a Cell Phone number during account creation, to which they would send a text message with a confirmation code needed to then verify the creation of the new account. This function effectively broke the process that the Avalanche group was using for their automated registrations. Interdomain implemented their new verification process on April 22, The next day, the Avalanche ceased using Interdomain to register its fraudulent domains. Interdomain s increased verification efforts forced the Avalanche to move to a new registrar since they could not abuse the services of Interdomain any further. We applaud Interdomain for their innovation and commitment to fighting fraud! Internet Identity - Phishing Trends Report - Second Quarter 2009 Page 7