RSA finds new malware enhanced phishing technique

RSA finds new malware enhanced phishing technique

Summary: RSA said Monday that it discovered a new phishing technique that uses elements of a malware attack to swipe personal information.The discovery illustrates a series of attacks from the Rock Phish group, which is a gang reportedly based in Russia that has been targeting financial institutions since 2004.

SHARE:
TOPICS: Security, Malware
13

RSA said Monday that it discovered a new phishing technique that uses elements of a malware attack to swipe personal information.

The discovery illustrates a series of attacks from the Rock Phish group, which is a gang reportedly based in Russia that has been targeting financial institutions since 2004.

Among RSA's key findings:

  • Rock Phish attacks account for 50 percent of phishing incidents and have stolen "tens of millions of dollars" from bank accounts.
  • This is the first time crimeware has been used in a Rock Phish attack.
  • Victims of these phishing attacks get their personal data stolen and are infected by the Zeus Trojan. Double the pain for victims.

RSA's Uriel Maimon said in a blog post:

The Rock Phish group is a phishing gang believed to be based out of Russia -- and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Within the past few weeks there has been a new advance -- the inclusion of identity theft malware (or Crimeware) into the Rock group's phishing attacks. I have written before about the problems this type of malware poses, but coupled with the robust infrastructure the Rock group has at its disposal, this is more than double the trouble.

In general, the latest Rock Phish attack includes the following:

  • Victim is duped into going to a phishing site;
  • Victim is infected with the Zeus Trojan even if he or she doesn't submit information;
  • Zeus is masked;
  • The Zeus Trojan can take screen shots, control a machine and steal passwords so even if you don't fork over information initially the malware will get it.

Topics: Security, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • Shocked!

    Gee, you forgot to mention which operating system(s) are
    susceptible to this thing.

    The magic 8-ball says it's only one...the usual one...every
    time...and of course it being the case 100% of the time is
    not because it's built like crap...it's because
    it's "popular"...hmmm...the only way that makes any sense
    is if by "popular" you mean in the way that certain girls in
    high-school were "popular"...and...oh look...most of them
    have virus problems too!
    smartguy2@...
    • Shocked?

      Interesting user name. Did you get it the same way a tall guy gets the nickname "Tiny"?
      BikerB
  • Russia isn't in Baghdad,Iran,Pakistan and so on

    Russia doesn't fit as criminal.You'd do best to prove that this attack came from Russia.I'm working hard to make Russia my friend.
    BALTHOR
    • no, but it does provide an env. conducive for crime

      And some parts of Russia, especially Moscow, are a
      criminals paradise; And they have invented many forms of
      theft.

      One example, they get into online stock accounts, sell out
      the holdings and buy into public Russian companies worth
      nothing.

      The shares do to this come from purchases they have
      already made, and your loss is their gain.

      This method alone has cost US-based investors more thn
      $100M.
      jgisme2@...
    • And Vladimir Putin is the former head of what?

      Oh that's right...the KGB.

      No, they were a real nice bunch of folks. Never killed anyone, never spyed on anyone, none of that. Real choir-boys. Oh yea...choirs were outlawed under the old CCCP too.

      "Russia doesn't fit as criminal." What are you smoking?
      IT_Guy_z
      • just out of curiosity ("And Vladimir Putin...")

        So you're under the impression that the folks who make and enforce laws generally follow them? If you're in a country where you 'know' this to be true, please let me know.
        --Glenn
        oregonnerd13
  • RE: RSA finds new malware enhanced phishing technique

    Not very useful. What attack vectors are used? Oh, they're unknown, that's very helpful. That blog post is a pretty good advertisement for the Zeus Trojan kit, not much else.
    Greenknight_z
  • RE: RSA finds new malware enhanced phishing technique

    Pointless, information-less article. Find something useful to write about.
    The Rationalist
  • More info, please.

    Is this just an IE problem, or can Zeus Trojan get past Firefox?
    peter_erskine@...
  • RE: RSA finds new malware enhanced phishing technique

    wow....I dunno if your sources just didn't provide you with the info or you just weren't looking, but I've come to expect a lot more out of ZDNet articles than this.

    1. No explanation of attack vectors. Does it hit through e-mail? are these people hijacking legitimate links? Are we all already 0wned, and just don't know it? (exaggeration on that last one, obviously, but I want to make my point here.)

    2. Do any of the major security companies (McAfee, Symantec, Lavasoft for pete's sake!) have any fixes on Zues? If so, are they already included in the respective security suite, or where can I get them? What does "masked" mean? Does that mean it avoids the software?

    I appreciate the alert, but I'd like more info.
    jebakk
  • RE: RSA finds new malware enhanced phishing technique

    Why is it that there is an increasing trend to move us to greater internet dependency (apps moving off our computer and onto the web for instance) when we can't provide reliable internet security?

    And I agree that we need to know more about what to do about the information in this article.
    drdave@...
  • RE: RSA finds new malware enhanced phishing technique

    See http://www.wwpi.com/index.php?option=com_content&task=view&id=4053&Itemid=128 and then a number of references (via Copernic) dated today. I think this may have been a successful dupe job by RSA to get free advertising, especially since the referenced URL says something about phishing, fake sites, and trojans.
    --Glenn
    oregonnerd13
  • RE: RSA finds new malware enhanced phishing technique

    The research that answers all the questions posed on this subject can be found at http://www.bloggernews.net/115279 . The reliability of the article is not known, which in this case should make little difference. This a javascript engine that taints normally safe websites and is a concern. Is the latest version of FF vulnerable? I don't know, but I feel safer than using IE.
    webtech_z