RSA's Research Lab Finds New Attack Technique

by CXOtoday Staff    Sep 29, 2009


The RSA Fraud Action Research Lab conducted an investigation in a number of attacks with the ‘Zeus Trojan’ during May-July 2009. The lab discovered and traced down a fresh technique of Internet attack with which criminals have been able to speedily deliver hacked credentials.

RSA’s research of several Zeus Trojan variants revealed that some online criminals have started using the Jabber instant messaging (IM) open protocol as a quick delivery mechanism of compromised user credentials. Using Jabber, stolen information is sent to these particular fraudsters as soon as it is collected from computers infected with the Zeus Trojan.

According to the report:

  • This month’s highlight discusses a new method being employed by online criminals that enables them to retrieve compromised credentials in real-time. Using Jabber, which is an instant messaging software, a criminal can receive stolen credentials as soon as they are collected from a user that has been infected by a Trojan.
  • As of August 1, 2009, the RSA Anti-Fraud Command Center has shut down over 184,000 online attacks.
  • There were over 13,000 phishing attacks identified in July 2009, only slightly higher than the number reported in June, but still marking a 12-month peak.
  • The number of attacks by each U.S. banking segment remained relatively the same as June, with regional banks enduring nearly 60 percent of attacks.

Phishing attacks per month
The number of attacks launched in July rose by only 1.5 percent as compared to June. While standard phishing attacks dropped
five percent last month, ‘fast-flux’ attacks increased by seven percent. Fast-flux attacks have outnumbered standard
phishing attacks for three consecutive months now; a trend, according to the RSA Fraud Action Research Lab, also reflected in the Hosting Methods statistics.

Distribution of attacks by hosting method
Phishing attacks hosted on hijacked websites dropped from 26 percent to 25 percent, with commercial hosting staying the same at eight percent percent. With the five percent increase in the number of fast-flux attacks in July, the rate of attacks hosted on fast-flux networks climbed last month from 56 percent to 61 percent. Attacks hosted on hijacked computers fell from seven percent to three percent, while free Web hosting retained a steady rate of three percent.

Top ten countries hosting phishing attacks
In July, the rate of attacks hosted by the U.S., in terms of its portion within the top ten hosting countries, fell almost 30
percent to 42 percent. Italy’s portion, in contrast, rose by five percent, hosting 26 percent of the top ten’s attacks. The U.K. resurfaced in the roster of hosting countries after a two-month absence, with nine percent, followed by Germany
with eight percent. Rock Phish domains were registered in large quantities in all four top-hosting countries. Mexico and China are this month’s new arrivals. The countries that have consistently hosted the most phishing attacks over the past year are the U.S., the U.K., Germany, France, Russia and South Korea.

Top ten countries by attack volume
The rate of attacks suffered by the ten countries that endured the most attacks remained similar in July as to those
reported in June. The only substantial changes to the list in July were the entrance of China and the departure of Ireland from the list. Over the past year, the five countries that have consistently suffered the largest portion of attacks have been the U.S., the U.K., Italy, Canada, and South Africa. Italy replaced Australia as the third country enduring the most attacks.