RSA Online Fraud Report

February, 2010

A Monthly Intelligence Report from the

RSA Anti-Fraud Command Center
®

About the RSA Anti-Fraud Command Center

Online crime is constantly evolving and
fraudsters do not discriminate against any
The RSA® Anti-Fraud Command Center is a 24x7 war room
organization or person. Online attacks
that helps organizations detect, block, monitor, track and
involving phishing, pharming and Trojans
shut down phishing, pharming and Trojan attacks across
represent one of the most organized and
more than 140 countries. Protecting more than 300
sophisticated technological crime waves
organizations against online attacks, the RSA Anti-Fraud
worldwide. Online criminals work day and
Command Center has shut down more than 275,000
night to steal identities, online credentials,
phishing attacks to date and is a key industry source for
credit card information, or any other
intelligence on new and emerging online threats.
information that they can efficiently
monetize. They target organizations in all The RSA Anti-Fraud Command Center is staffed by more than
sectors, as well as any person who uses the 100 experienced fraud analysts and has established direct,
Internet at work or at home. open channels with dozens of Internet Service Providers
around the world, as well as numerous CERTs and law
These online criminals also have new tools
enforcement agencies. Multi-lingual translation support is
at their disposal and are able to adapt more
available in nearly 200 languages to further enhance its
quickly than ever with advanced crimeware;
ability to detect, block and shut down fraudulent websites
rapidly deployed using stealth mechanisms.
and significantly reduce the average uptime of online
Their supply chains have evolved to match
attacks around the globe.
that of the legitimate business world,
including the ability to provide what RSA
coined “Fraud-as-a-Service”.

This monthly intelligence report has been

created by the experienced team of fraud
analysts from the RSA Anti-Fraud Command
Center. It includes a monthly highlight based
on keen insight into the world of online
fraud as well as statistics and related
analysis from RSA’s phishing repositories.

The RSA Anti-Fraud Command Center is staffed

by over 100 experienced fraud analysts.

RSA Online Fraud Report


U.S. Colleges and Universities Become a Favored
Target for Phishing
Since the beginning of the year, RSA has detected several
phishing attacks disguised as the online portals or webmail
services of American higher education institutions. In 2009,
RSA detected a minimal number of attacks against
universities and colleges. But this sudden reversal may mark
a new trend in phishing and online fraud – and a source for
concern within the education sector.
Phishing attacks against colleges and universities are
focused on stealing the login credentials that students use
to access all their personal university-related information
and email; credentials that usually consist of students’
usernames and passwords. As to why phishers are seeking
out students’ information we can only speculate, though
some universities report to have suffered attacks that
resulted in the distribution of additional spam or 419 scams.
Or perhaps it could ultimately be used to apply for financial
aid or bogus student loans, as demonstrated by a recent
case in Arizona.
As for the types of institutions that recently endured
phishing attacks, a majority were targeted at public state
universities in the U.S. And as to what the fraudsters were
going after – 70% of the attacks were targeted at the online
portals of the universities which offer various student
services, including webmail, and 30% of the attacks solely
targeted webmail services.
Students conduct much of their correspondence and
activities through their university’s dedicated student portal
and use their university’s webmail services. Access
credentials to these services allow students to view grades,
update personal information, access student loan accounts
or other payment information, and view their paid/invoiced
courses. Through the same portals or webmail services,
students also compile email distribution groups and use
instant messaging. Compromised webmail accounts may
give phishers another foothold in students’ personal
computers, since compared with other unsolicited e-mail
content, spam e-mails would gain credibility when coming
from peers, especially if messages are sent from a university
webmail address.
RSA Online Fraud Report
A similar issue has been plaguing social networking sites
with phishers targeting users through messages that appear
to be sent from other users within the network.
Compromised member accounts are then used to spread
spam to friends that appear on a user’s peer list, exploiting
the credibility and trust of e-mail messages received from
friends. (Users are more likely to open e-mails and click on
links inside them if they believe a friend recommended
them or found them funny or entertaining.)
Essentially, once they gain access to a student’s personal
profile, fraudsters can exploit this information to:
– Steal personal and financial information from a student’s
online profile. A student’s profile may contain sensitive
information such as details of student loans or banking
and credit card information used to pay tuition.
Personally identifiable information such as Social
Security numbers, date of birth and mailing address may
also be targeted.
– Send additional spam email from the student’s
compromised email account in a bid to bypass anti-spam
filters. An email originating from the university’s own
SMTP servers is not likely to get blocked as spam.
As for the second possibility, spam email that seems to
originate from the college or university’s internal network
may open further windows of opportunity for socially
engineered scams. Spam email may serve to:
– Recruit students for money mule operations, where they
would unwittingly transfer stolen funds from
compromised accounts to the scam’s operators or their
accomplices. As most students have little time to work,
and even less cash in their pockets, some fraudsters
consider them perfect candidates to recruit as mules.
Moreover, some would be less experienced in choosing
jobs; a fact that would make money muling work and
other jobs, such as reshipping illicitly obtained goods,
appear to be lucrative opportunities to the unwary.
– Distribute phishing attacks disguised as online banking
sites in hopes of gaining access to the student’s bank
account. For example, fraudsters may abuse a
university’s e-mail platform to spread student loan
scams.
– Redirect students to websites where they would be
infected with a Trojan. Students may be urged to click
a link or open an attachment within an email that
purports to be an important security update, financial
report, or social network invitation. However, the
linked website or attachment actually contains the
executable file of a Trojan which runs malicious code
on the computer and is capable of stealing every
username and password the student types. A Trojan
infection is known to have taken place last month at
Humboldt State University in California, where a
compromised machine may have exposed the personal
information of 3,500 people employed by the school
between 2002 and 2006.

Most alarming is that many of today’s Trojans have a

“backdoor” – a function that enables a fraudster to
remotely connect to and control victims’ computers
whenever they are online. Therefore, a computer infected
with a Trojan could potentially serve as a remote
connection to a university’s internal network.
Figure 1
Another factor that further facilitates a fraudster’s work is Phishing attack masquerading as a University's Webmail portal
that most universities do not educate students about
online security. Today’s college students are very
Internet-savvy and open to sharing lots of personal
information online, and unfortunately, not as concerned
when it comes to taking appropriate measures to protect
their identity online. Furthermore, while most universities
do not employ sophisticated security measures that are
commonly deployed by government, business, and
financial institutions, their portals often do harbor
sensitive information about each of their students.

The Open Security Foundation, a respected non-profit

that has been tracking data loss incidents for nearly two
decades, reports that the education sector has accounted
for 21% of all data breaches, most of which result in the
compromise of large volumes of sensitive information
stored within university databases.

The recent spike in phishing attacks on U.S. colleges and

universities will hopefully serve as a wake-up call for
these institutions to take proactive measures to
safeguard the personal information of their students and
staff members. Otherwise, cybercriminals may continue Figure 2
to target their portals and webmail services in an effort to Phishing attack disguised as a University’s login page
steal and exploit sensitive personal details. Through
education and proper authentication of online users,
universities can turn this trend around.

RSA Online Fraud Report

Phishing Attacks per Month

Trend Analysis
20000 18820
The first month of 2010 marked a new record high 17900
17365
for the number of phishing attacks, identified by 16164 15596
15127
RSA in a single month: 18,820 attacks total. This 15000
13021 13212
represents a 21% increase from December.
11562 11887
Looking back to January 2009, we see that 10783
9998
worldwide phishing attacks more than doubled 10000 8497
within a single year’s time and are still climbing
rapidly.
5000
Fast-flux attacks in January accounted for 24%, up
4% from December. Standard phishing attacks
show a 12% increase compared with December. 0

Sept. 09
Jun. 09

Jul. 09

Aug. 09
Mar. 09

Apr. 09

May. 09

Oct. 09
Jan. 09

Feb. 09

Nov. 09

Dec. 09

Jan. 10
Holding the trend observed since November 2009, the
largest portion of phishing attacks is still being hosted via
standard methods. As to whether this trend will continue,
Source: RSA Anti-Fraud Command Center
we are already witnessing a measurable increase in fast-
flux attacks – indicative of a slow comeback from the Rock
Phish gang.

Distribution of Attacks by Hosting Method Fast Flux 5%

Hijacked
Trend Analysis Computer 7%
Following the changes observed since November 2009, the
majority of phishing attacks in January were hosted on
Free
hijacked websites (increasing nearly ten percent from last
Hosting 8%
month). Surprisingly, fast-flux attacks are still outnumbered
by attacks hosted using other methods. This shift reflects
the Rock Phish gang’s diminished phishing activity over the
last couple of months as they have been increasingly
focused on social-engineering malware infection
Hijacked
campaigns rather than classic phishing attacks. Website 62%
Commercial
Hosting 18%

Source: RSA Anti-Fraud Command Center

RSA Online Fraud Report

 Hosting Methods

– Fast-flux networks produce an advanced Denial of Service
(DNS) technique that utilizes a network of compromised
computers, known as a botnet, to host and deliver phish-
ing and malware websites. The compromised computers
act as a proxy, or middleman, between the victim and the
website. It is difficult to expose and shut down fast-flux
networks as content servers that deliver phishing and
malware websites are hidden behind a cloud of compro-
mised machines whose addresses change very quickly in
order to avoid detection.
– Hijacked websites are those where fraudsters host their
illegal content on legitimate websites' sub-domains,
avoiding the registration of their own domains used for
phishing attacks.
– Commercial hosting involves fraudsters who host their
malicious websites for other fraudsters in exchange for a
fee.
– Hijacked computers consist of compromised computers
whose IP addresses were assigned to a specific phishing
domain.
– Free Hosting refers to attacks that leverage free hosting
services.

Total Number of Brands Attacked 300 281

275

Trend Analysis 250 239

227
In January, the total number of attacked brands only 214 207 216
190 191 195
climbed by two percent compared to December. The 200 189 186 188

number of brands attacked under five times remains

almost unchanged with 160 entities (versus 163 last 150

month) representing a 57 percent portion, Thirty-five new

100
entities endured their first phishing attack, more than
triple the number reported in December. These figures
50
reflect the tendency of fraudsters to repeatedly target the
same few brands.
0
May. 09

Jun. 09

Dec. 09
Mar. 09
Jan. 09

Feb. 09

Apr. 09

Jul. 09

Aug. 09

Nov. 09
Sep. 09

Oct. 09

Jan. 10
Source: RSA Anti-Fraud Command Center Brands attacked under five times

100
Segmentation of Financial Institutions 27% 38% 22% 14% 18% 18% 17% 24% 13% 13% 9% 10% 14%

Attacked Within the U.S. 80

Trend Analysis
60
The preferred target for phishing attacks in the U.S. was 45% 52%
49% 29% 56% 52% 35% 57% 58% 57% 60% 71% 61%
regional banks, a trend that has held steady for eight
consecutive months. The portion of nationwide U.S 40

banks attacked in January climbed from 19 to 25 percent

while the portion of targeted U.S. credit unions increased 20
four percent. 24% 33% 22% 34% 47% 25% 25% 31% 35% 30% 31% 19% 25%

0
Feb. 09

Sep. 09

Oct. 09

Nov. 09
Apr. 09

Jan. 10
Jan. 09

May. 09

Jun. 09

Dec. 09
Mar. 09

Aug. 09
JuL. 09

U.S. Regional Nationwide

Credit Unions U.S. Banks U.S. Banks

Source: RSA Anti-Fraud Command Center

RSA Online Fraud Report
 Russia 2%
Top Ten Countries Hosting Phishing Attacks Singapore 2%
France 3.5%
Trend Analysis
Australia 3.5%
The U.S. remains the top hosting country, hosting the largest
share of attacks for the month and climbing 12 percent to Canada 4%
57 percent in January. China remained the second top UK 5%
hosting country although the portion of attacks hosted in the
country diminished from 17 percent to just nine percent in Germany 6% U.S. 57%
January.

The U.K saw a drop in the number of attacks hosted in the

country, down from 15 percent to five percent. Canada, South Korea 8%
France, Australia, and Russia fluctuated by no more than
2 percent each in terms of the number of attacks they hosted
in January. China 9%

Source: RSA Anti-Fraud Command Center

Germany 1%

Canada 1.5% Australia .5%

Top Ten Countries by Attack Volume
India 2% Spain .5%
Trend Analysis China 3.5%
Attack volumes per country fluctuated by no more than one South Africa 4%
to two percent within each country throughout January. The
Italy 5% U.S. 48%
United States remains the top country in terms of the
number of attacks suffered in January, rising 2 percent from
the volume reported in December. The U.K dropped one
percent while the attack volume in China decreased from six
to 3.5 percent.

UK 34%

Source: RSA Anti-Fraud Command Center

RSA Online Fraud Report

 Netherlands 3%
Top Ten Countries by Attacked Brands South Africa 4% France 2%

Trend Analysis Spain 2%

Canada 6%
Fraudsters continue to attack brands in the same countries,
namely the U.S, the U.K who represent 70 percent of the India 4% U.S. 51%
global brands targeted in January. Other countries whose
brands consistently suffer the most attacks include Italy, Australia 6%
Australia, Canada, South Africa, Spain and India.
Italy 6.5%

UK 19%

Source: RSA Anti-Fraud Command Center

The information set forth in this RSA Online Fraud Report is based on sources and analysis that RSA Security Inc. (“RSA”) believes are reliable.
Statements concerning financial, regulatory or legal matters should be understood to be general observations of the RSA professionals and may not be relied upon as financial,
regulatory or legal advice, which RSA is not authorized to provide. All such matters should be reviewed with appropriate qualified advisors in these areas. RSA reserves the right
to notify law enforcement authorities and/or other relevant agencies regarding the information RSA uncovers in the course of doing business.

Usage Guidelines
Individuals and organizations may reference content from any RSA Online Fraud Report by following these guidelines:
(1) Reprinting and/or distributing an entire RSA Online Fraud Report requires prior approval from RSA in all cases. This includes an entire Monthly Highlight and/or the full set
of Statistics and Analysis from RSA’s phishing repositories. Any requests to reprint and/or distribute an RSA Online Fraud Report must be directed to Heidi Bleau at
heidi.bleau@rsa.com.
(2) It is permissible to reference up to three sentences from the Monthly Highlight. They must be cited in their entirety and within quotation marks. Any requests to cite more
than three sentences must be directed to RSA.
(3) It is permissible to reference up to three sets of Statistics and Analysis from RSA’s phishing repositories. Any requests to cite more than three sets may be directed to RSA.
Charts may not be redrawn. All citations from related data analysis must appear in full sentences and within quotation marks.
(4) It is required that all references to the RSA Online Fraud Report are credited in the following manner: “Source: RSA Anti-Fraud Command Center, RSA Online Fraud Report,
[month], [year]”.

EMC, RSA , RSA Security, FraudAction and the RSA logo are registered trademarks or trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks
mentioned herein are the properties of their respective owners.

ONLINE FRAUD REPORT FEBRUARY 10

RSA Online Fraud Report