Security Response Weblog

• Cashing Out on Identity Theft
  

  There’s been a lot of coverage on the FBI Bot Roast II campaign where they released information about eight suspects who have been indicted for conducting criminal botnet activity. Bot herder suspects from across the United States have been linked to criminal activities such as DDoS attacks, conducting multi-million dollar phishing and spamming scams, and in particular stealing personal information that could lead to identity theft.

  Thousands of pieces of personal information are sold and traded in underground economy servers found in Internet relay chat (IRC) rooms. When I look around the servers that we monitor, it reminds me of Causeway Bay at night in Hong Kong. Large advertisements bombard you with capital letters and carders repeat their sales pitches across multiple lines to attract people to their bargains. They list off their best deals and even offer cheaper prices if you buy in bulk as stated in the ISTR XII.

  Fresh CCs for sale. PM me for details Bulk discounts for US & UK FULLZ Cheap fresh fullz incl DOB, SSN, MMN, DL, EMAIL

  When criminals sell stolen information, such as credit cards, credit verification values (CVV), bank accounts/logins, and dumps (magnetic strip information) on underground economy servers, the purchaser will need to cash out on their newly acquired information to reap the rewards of their bounty. Unwilling to risk exposure, many purchasers will use the services of "cashiers" who will convert the information (for a fee) into true currency, either in the form of e-Gold or through money transfers.

  Cash-outs take a variety of forms depending on the type of true currency requested. Some cashiers wire money transfers online using the stolen credit card and hire a middle-man who receives the transfer in person using a fake identity. Since this type of money transfer ensures anonymity, can occur in a matter of hours, and results in hard currency, many cashiers use this method. E-gold payments are also very popular among cashiers since the process is instantaneous and the payments are final, i.e. there is no possibility of chargebacks. Money is transferred from bank accounts or credit cards, using exchange services, into e-gold currency accounts in as little as an hour.

  Most cashiers charge a percentage of the cash-out value as their fee. This percentage can range from 10% to 50% depending on the speed of the transaction, whether or not the account is blocked, and the amount of the cash-out. Cashiers are careful that the amounts they cash out are sufficient enough for their client but small enough not to alert the authorities or the official account holder.

  On a positive note, the exposure of underground economy servers has shed light on their methods. Many currency exchange services no longer accept credit cards or third-party requests, and are more stringent on identity checks.

• Getting Acquainted With Rock Phishing
  

  Antiphishing filters basically work either on block listing or on heuristics. "Rock phish" attacks are quite a recent phenomenon that has posed a major challenge to both of the above mentioned antiphishing filters, simply because the unique structure of a Rock phish attack circumvents antiphishing filters. This phishing technique can be traced back to somewhere around August 2006. The URL structure was comparatively simpler then, consisting of a randomized root domain and three sub folders. But the principle cause in the recent surge in the number of such attacks is traced to the botnet phenomenon. So, what then is so special about Rock phish? Well, this technique has a trademark method of striking naïve targets.

  The URLs that navigate to the fraudulent Web sites have a unique structure. For example, the structure of this URL is Rock phishing specific: http://www.xxx.xxx.user123990.com/login/challange/2b593cba/login.php. As a matter of fact, it gets extremely difficult to judge between a legitimate site and a fraudulent one unless you look closely at the root domain, which is "user123990.com" as highlighted in the URL above. The root domain comes before the first forward slash (/) in a URL.

  To attempt to get to your money the Rock phish community of fraudsters begins their spade-work through botnets that release millions of spam mails containing a message from a financial institution, hopefully enticing you to click on a fraudulent URL mentioned in the mail. The prey falls into the trap by doing so. Then follows the second stage wherein the prey is lured into giving up confidential data that could be a login password, bank info, credit card details, or a social security number, etc. Within an instant the whole drama is complete, the coveted data is obtained, and your money is siphoned out.

  Given below is a set of fraudulent Rock phish URLs to get your eyes accustomed to their structure:
  1. http://XXX.xxx.xxx.ebank-service.com.nubi.signin138003006.aspx.vdw3.com/Secure_Authentication.htm
  2. http://XXX.de.e-koy.com.es/kundendienst/anfang.cgi/frame4.htm
  3. http://XXX.de.fmkmemw.hk/kundendienst/anfang.cgi/frame4.htm
  4. http://XXX.com.refid02854442.gopo45.li/service/default.aspx/refererident.htm
  5. http://XXX.co.uk.legalidport.hb.cn/securesession/action.aspx
  6. http://XXX.XXX.com.36343477.sapisss.eu/sc/saw-cgi/xxxISAPI.dll/index.php

  Because the root domain is the unique feature of Rock phishing, let's delve deeper into their specific characteristics:
  1. The root domain is recently created.
  2. The registration is done in a randomized country domain, especially some of those that aren't under the antiphishing group's watch or that of law enforcement agencies.
  3. The name server is another important point to be noted.

  Domain Name: FMKMEMW.HK
  Domain Name Commencement Date: 09-11-2007
  Country: HK
  Expiry Date: 09-11-2008
  Re-registration Status: Complete
  Company Name: YAN IUAN HO
  Name Servers Information:
  NS1.POLO456.COM
  T1.BAR-BAR-COM.COM
  DOT2.VILOPR.CN

  It is interesting to note that before these bogus domains are identified and blocked, fraudsters have already done the damage. Looking at the Rock phish URL more carefully you will see some random numbers with a few alphabet characters in it. These are alphanumeric figures. Such a methodology is used to randomize and make the URL string unique, complex, and difficult to differentiate from a legitimate one. By the way, such alphanumeric figures are widely used in legitimate URL strings as well. The makers of Rock phish exploit this common practice to the best of their advantage.

  Now there are Rock phish fraudulent URLs that have blended threats, such as Trojan programs, viruses, and malware embedded in them that can severely damage computers. One such example—hxxp://xxx.session-12034016.xxx.bank.com.modid7.li/forms/clientcare.apx/—contains Trojan-Spy.HTML.Bankfraud.sp.

  So we could easily expect a pandemic type of situation in the near future. If Rock phish emanates from botnets, then we need to be wary of botnets that stealthily enter computers through social networking, pirated software, free downloads, and other tricks such as fake security updates for commonly used software.

  In conclusion, we can say that Rock phish URLs are engineered with specific brands in mind. A clear pattern seems to be panning out in their attacks. After meticulous observation, we can safely conclude that the makers of Rock phish have certainly revolutionized the art of phishing. They are sophisticated and hardcore technicians and are maturing to be experts in the field of spam and fraud. They certainly seem to be advanced in technology, using fast flux architecture to change name servers and site location in an instant, automating proxy servers to such an extent that if one is downed it automatically switches on to the next. Thus, they are able to lengthen the life span of Rock phish URLs and make them stealthier. Therefore, it is absolutely necessary for everybody to become well acquainted with Rock phish to prevent becoming their next victim.

  Note: My thanks to Christopher Mendes, Sr. Analyst in Security Response, for his hard work in analyzing this threat.

• Attacks on Credit Unions and Community Banks
  

  The second half of 2007 has seen a sudden surge in the number of phishing attacks on financial puddles like regional banks, credit unions, and small- to mid-sized credit unions. But why are fraudsters focusing on localized financial institutions? The answer is simple; they are highly profitable and have less resources to protect them from phishing when compared to larger institutions. Larger institutions have secu