Premium WordPress Themes

For Fraudsters by Fraudsters: iFrame Traffic Shop Opens for Business

January 18th, 2012 RSA FraudAction Research Labs Comments Off

Cybercrime does not rest; hackers and malware authors are always looking for new ways to make money using what they know best: programming and the Internet. One of the most recent innovations to come through was a new iFrame Shop made for fraudsters by fraudsters.

Web traffic (and iFrame traffic)-selling services already exist on the web and are somewhat of a gray area when it comes to increasing the flow of web traffic to specific URLs. The use of iFrames and hidden iFrames is also part of how these types of services operate, including the fact that they track and collect visitor IP addresses, OS type, screen resolution, and ISP provider names without the user’s knowledge or permission.

One of the popular offering from web traffic services is the way they can target specific countries, moving visitors from a specific location to the traffic buyer’s URL. Beginning to sound better and better by the moment, isn’t it? Fraudsters are big on targeting specific countries whether it be for different fraud schemes or for malware infections and financial fraud.

What are iFrames?

iFrames are HTML elements that can contain content, be it HTML or Javascript, from another web page. When used legally, iFrames are used to highlight important pages on a website or can be sold as advertising space.  They can be seen on almost every web page you visit.  For example, the RSA website uses iFrames linking to other RSA web pages as seen below:

 

 However, the fact that iFrames can be hidden and can run malicious code, makes them quite popular in fraudster circles for infecting victims’ machines with Trojans and other forms of malware. 

How can cybercriminals leverage iFrames to spread malicious content? They do it in three ways:

  • They create websites and direct their botnets to the site’s URL, thus creating fake and illegal traffic on that site, making it appear considerable. They then attempt to monetize it with click-fraud.
  • They compromise pages in existing websites, inject iFrame content into them, and send web visitors to that location, on top of preying on the unwitting visitors of that website.
  • They hijack an entire website and use its pages to host their own content, then send users to that seemingly legitimate website. 

By being able to control the iFrames and their content, cybercriminals direct the flow of traffic sent to them from botnets or optimize search engine results in an illegal way to have web users’ search queries bring up poisoned results (SEO poisoning).

Placing unauthorized iFrames on high traffic legitimate websites is creating “Junk Traffic” and click fraud – both are illegal. iFrames can be set to invisible – set up with 0 height and width specifications, thus not being visually displayed on the website. Considering the fact that an iFrame can contain the drive-by-download to a Trojan infection, the visitor will not even know it has occurred.

New Underground Online iFrame Shop

A new store opened to service cybercriminals came from an underground operator who apparently wished to provide his fraudster-buyers with an easy online platform through which they could trade buy or sell web traffic.  Evidently, when used in the context of fraud, one can expect to see junk traffic leading to exploit kit infections, Trojan drive-by download sites, and live phishing pages, to name a few. 

This is one of the only instances of such a shop being offered to members of the underground, although it cannot be considered surprising. It is evident fraudsters have been using these types of junk traffic services already, although the purportedly ‘legal’ services offered online declare they only work with ‘clean’ traffic, allegedly ensuring no malware, pop-ups and malicious content is related to their services.

This service, in a similar way to bulletproof hosting services, eliminates the need for fraudsters to hide their true intentions. It is clear up front that the purpose is going to be illegal and sure enough, the service operator will not ask too many questions about the malicious URLs and even actively partake in the operation.

 The new shop’s main purchase panel allows one to view the types of options offered by the store: buying, selling, statistics and the average price for 1,000 visitors sent to the buyer’s page. The more targeted choices the buyer can make is to pick out a country from the drop menu or purchase a “Countries pack,” selecting a few countries into a bundle deal. Depending on the country, the price for each 1,000 visitors changes and can range from $8.00 USD to $18.00 USD.

Underground iFrame Shop – Main Traffic Purchase Page 

 

 If one chooses to sell iFrame traffic (or direct traffic to a specified URL), a “Sell Traffic” screen provides the interface for communicating the details to the service’s operator.

Underground iFrame Shop – Sell Traffic Page

 

In yet another page, traffic sellers are invited to sell direct traffic through the websites they control by using the service’s own domain for redirections. What they would need to do is send users from their own websites to that domain (thus creating more traffic for the operators’ URL and get paid per 1K visitor batches).

A member wishing to sell iFrame traffic can access the dedicated page set up and read instructions on the required process. Essentially, the traffic seller will be injecting the service operator’s URL into iFrames he already controls. That way, traffic will be sent to the service’s operator’s URL and the seller will receive payment.

Underground iFrame Shop – Sell Direct Traffic Set-Up

Read More »

Underground Credit Card Store Operators Aggregate Their Stolen Data

January 9th, 2012 RSA FraudAction Research Labs Comments Off

The constant hustle and bustle of underground fraudster markets is a bountiful source for any and all types of fraud commodities and partnerships formed between seemingly anonymous criminals in the virtual world. And yet, one very prominent vertical, if we may, stands far out from the rest—credit card shops and just about everything that has to do with them.

What feeds credit card shops? What has been happening with these platforms through the past year? And what is the most recent novelty further popularizing this overflowing source of card fraud?

Why is it that CC Shops, as coined by residents of the underground, are one of the hottest black market subjects at any given time? CC shops are also the one fraud commodity to have developed as much, if not more than malware when it comes to the ways it is traded in the underground.

Is it possible that CC Shops are where fraud worlds collide? Compromised credit card data touches many aspects of the fraud cycle, and thus touches almost every cybercriminal and fraudster in that food chain. One cannot ignore the fact that many times a CC Shop does not only sell card data; many shops sell much more elaborate sets, including the type of victim information which can facilitate identity theft, thus being sought-out by an ever larger crowd of criminals.

Let’s see what ‘feeds’ CC Shops and keeps this vertical going. The biggest source feeding CC shops is hacked merchants (dubbed ‘shop-admins’), at times a one-time-hit type of a hack, grabbing the shop’s database; other times an ongoing data leak stealing daily feeds of incoming payment data from the hacked shop.

On the cybercrime and malware side, Trojan horses are made to recognize credit card numbers and parse them into a separate file for the botmaster to then use or sell them. Take SpyEye for instance, this Trojan has a CC Grabber module programmed precisely for that purpose.

Malware infections and the resulting botnets also feed CC Shops. Every computer infected is likely to supply botmasters with more than one credit card number. One cannot ignore the aggressive increase in unique Trojan variants over the past year, which also means more credit card data is stolen and more of it is liquidated through CC Shops.

What else feeds CC shops? Well, the real world! POS Skimmers, ATM Skimmers, compromised payment processors – credit card data flows from just about every direction, and at that rate, someone has to sell it and someone is always buying. Good old supply and demand.

Before CC shops existed, fraudsters had to advertise and sell cards in forums. Only vendors with a good reputation were allowed to sell to others. When e-currency became reality, and e-currency APIs allowed for e-payment, cybercriminals were jolly to automate the whole card selling process on a web-based interface.

The essential nature of today’s CC shop is designed to operate like an ecommerce site and automate the purchase of compromised information by aspiring fraudsters. These platforms have been around for years and while they used to be operated by the more advanced criminals in the past, today anyone can buy a CC-Shop-Platform, off the shelf with a friendly GUI and support team.

Have a look at this rent-a-shop platform; in this case, fraudsters were even invited to ask for the customization options they would need for their shop, along with an embedded card-checking gate.

 

Underground vendors have turned the sale of CC Shop platforms into a child’s game. Comparable to the sale of ready-made phishing kits, underground vendors offer both CC-shop-kits and platforms for rent. Anyone can buy or even rent a shop, pay for set up and hosting and begin selling the card data they have in stock.

Like any shop, fraudsters assumed: if we build it, they will come. “They” being their fellow fraudster buyers are coming. A recent count of active CC shops operating underground today can easily surpass 100 shops. The next step up, as it looks, is making fraud endeavors even easier!

Since almost all fraudsters know what they are looking for (cardholder gender, billing address area (Zip code), issuer/type of card, BIN), how about helping them find what they need – and faster? How about eliminating the need to register to a bunch of shops where they won’t even find the BIN they are after? What if they could access one search engine which would point them in the right direction?

And so, in a novel nefarious venture, one underground vendor decides to advocate to aggregate. The vendor reached-out to large CC Shop operators with an interesting offer – aggregation of the cards in their shop’s database which will allow fraudsters to query BINs on his site, without the need to register. Result? More fraudsters, more visits, more new customers for each shop, more cards sold… Everybody wins, well, except for global economy that is.

The new CC Shop aggregator was launched and advertised on every carding forum in sight, advocating its easy use, friendly interface and soliciting other shop owners to join the revolution. Introducing “MegaSearch” – a compromised payment card data aggregator.

Using the new search site, instead of having to login to multiple different CC shops, card-buying fraudsters will have the aggregator access different shops’ databases, pull the available cards and display a collection of results for each query. Since each CC shop differs in the types of information it offers and allows for varying search criteria, at this time the MegaSearch interface will provide card searches by BIN – the common denominator to all CC shops.

Evidently, no card information is shown in the search results which are very basic, only showing the name of the shop where the card can be purchased, the source shop’s URL, the card’s BIN and corresponding financial institution and the number of such available cards in that shop’s inventory. Fraudsters would be able to search up to 50 different BINS in a single search.

This novel idea will facilitate the search for compromised cards to cash out and most likely increase the sale of the cards through the different shops. Beyond the fraud potential of this particular finding, the MegaSearch engine fits very well with the ongoing FaaS trend in underground markets, making fraud commodities easily accessible to fraudsters, meeting demand with supply, creating collaborations, and devising easier ways to buy, sell, pay and monetize.

Cybercriminals appear to be keeping the wheels of the underground economy turning in full speed and on time for the busy Holiday season.

Have a look at the MegaSearch website, apparently accessible to anyone with an Internet connection.

Figure 1: MegaSearch Aggregator – Welcome Page

 

Figure 2: MegaSearch Aggregator – Search Results Page

 

Read More »

SonicWALL Positioned in the Visionaries Quadrant of Leading Analyst Firm’s 2011 Magic Quadrant for SSL VPN

December 15th, 2011 SonicWALL - Comprehensive Internet Security Comments Off
Evaluation Based on Completeness of Vision and Ability to Execute
Read More »

SonicWALL Offers Scalable Secure Remote Access Solution and Addresses Issues Brought on by Consumerization of IT

December 6th, 2011 SonicWALL - Comprehensive Internet Security Comments Off
SonicWALL Introduces SRA EX9000 and Aventail 10.6 Software to Enable Secure Remote Connectivity for Up to 20,000 Concurrent Users of Windows and Windows Mobile, Apple Mac OS and iOS, Google Android and Linux
Read More »

Charting the Evolution of Phishing

December 5th, 2011 RSA FraudAction Research Labs Comments Off

The RSA FraudAction team just marked a major milestone – reaching the official shut down of 500,000 phishing attacks, done across 185 countries. Sometimes viewed as one of the oldest Internet scams in the book, phishing is still a very popular method among cyber criminals. RSA recently estimated that worldwide losses from phishing attacks during the 12-month period from July 2010 through June 2011 reached nearly $1 billion.

How did such a seemingly simple email ruse get to be such big business in the world of cyber crime?

Today, most Internet users have heard about phishing or have already been affected by phishing to some extent. And while the term phishing has been discussed since as early as 1996, the world has not been able to rid itself from this phenomenon. Phishing is still easily one of the top threats on the Internet; its direct and indirect costs tax the global economy with billions of dollars in fraud losses every year.

Let’s take a look at how the phishing threat started and the ways in which it has evolved with attacks becoming more sophisticated and targeted over time.

The Humble Beginnings of Phishing

While there are conflicting accounts to the contrary, it’s believed the term ‘phishing’ was coined in 1996 by hackers who managed to steal America Online (AOL) accounts by coaxing username and passwords from unsuspecting users. At the time, hacked accounts were dubbed ‘phish’; within a year, ‘phish’ was actively being traded between hackers as a form of electronic currency that was of value to them.

‘Phishers’ used to go after compromised e-mail accounts in order to send out spam. In its early days, phishing was not looking to steal bank account information or even financially driven for that matter. It was only when phishers realized that it was relatively easy to convince web users to divulge their passwords that they inevitably saw it as a way to monetize data. Now going beyond spam, phishers added a criminal layer to their activities and began thinking of ways to compromise more valuable credentials, especially those which afforded online access to bank accounts. Phishing became a fraudster’s gold rush.

The Evolution of Phishing

From the tactics to the targets, phishing has evolved rapidly in a relatively small amount of time.  Let’s take a look at the evolution of one of the longest-standing Internet threats.

The Ploys Changed

Every phishing attack begins with some sort of ploy. Regardless of the method of delivery of the phishing URL or the e-mail containing the phishing HTML page, the web user has to be convinced that he needs to go to that page for a reason valid enough to then impart with personal and financial information.

Before

Now

Initial phishing ploys delivered a hyperlink inside an e-mail, urging the potential victim to take immediate action.

 

Most times, if action was not taken, the alleged consequence would result in some sort of a penalty (account suspension or closure).

Recent ploys have kept the good old tale. An e-mail tells you it was sent from your bank, credit card issuer, or another important part of your life, urging victims to update certain information immediately or risk having their accounts closed or suspended.

Newer ploys insert other human motivators into the mix.

Rewards: Tax refunds, lottery winnings.

Obligation: Fraudulent tax reporting.

Curiosity: ‘Look who has been searching for you’

Right the wrong: Fake order confirmations from known online merchants or shopping sites.

Look and Feel Upgraded

Before

Now

Phishing pages were rather easy to identify, presenting patchy and blurry-looking logos (copied from the genuine websites), broken hyperlinks, and erroneous data fields inside the pages were very common.

 

Both phishing e-mails and pages contained numerous evident spelling and syntax errors.

Although some phishing attacks today are still lacking in finesse, most new attacks create communications to potential victims that are almost identical to that of the targeted entity.

Sophisticated phishing pages pull the genuine website’s HTML code directly from the source; making the replica look as good as the original and allowing the phisher to achieve the exact same look and feel victims would expect to see.


Phishing Campaigns Expanded

Phishers have advanced with the times. Today’s professional phishing perpetrators opt for modern-day evasion techniques to bypass spam filter mechanisms. Beyond sending spam or links, Local Pharming sends the victim to phishing pages, and DNS poisoning resolves the victim’s requests to phishing sites. Fraudsters even go to the length of Search Engine Optimization (SEO) poisoning in order to ensure that potential victims land on their phishing pages.

Phishing campaigns have also expanded their horizons in terms of the geographies and the number of worldwide brands they target.

Before

Now

Phishing campaigns were delivered via e-mail spam.

Recent phishing campaigns use a variety of delivery methods, moving away from e-mail and into Instant Messaging platforms (sending the URL from ‘friends’ with a message to access a link). Spam comments flood social networking sites, posted to friends’ “walls,” spam messages are sent from alleged friend groups, urging users to access the URL. These ploys are used both for credential phishing and for malware infections.

Phishing was sent via hijacked e-mail accounts

Phishing sent via spam botnets are capable of sending out billions of e-mail daily.

The campaigns almost always communicated a message in English.

Phishing campaigns have expanded and evolved into using at least 16 different languages.

Phishing targeted a few major brands with a strong aim on financial institutions.

Phishing expanded its horizons and now targets a steady growing number of brands across geographic regions.

The brand diversity has also increased with attacks going after companies such as worldwide manufacturers, airlines, online auctions, and e-commerce shops and retailers, just to name a few.

The Average Phisher Changed

Successful phishing is no longer conducted by the same fraudsters one would imagine, sitting in a basement and launching small time attacks.  Phishing, and those who orchestrate its cycle, have become much more organized; today’s fraudsters embrace capitalism, making crime their business. For some, fraud is a full-time job and sole source of income.

Phishers study their market and make money by learning the weaknesses of others, leaving their victims and their victims’ service provider to pick up the tab. Anti-virus providers have noticed that Phishers are most active during weekdays, with a noticeable drop in activity over the weekend – taking time to enjoy a day off like anyone working around the clock would.

From investing into more technical phishing kits, to paying for successful spam campaigns, to looking for collaborations, discounts and a proper ROI, phishers actively seek methods and measures to ensure maximum profitability.

The Targets of Phishing Changed

Before

Now

Gullible Internet users; unaware and unsuspecting consumers were the ones who ‘fell’ for phishing more often.

Phishing can be as sophisticated as making a savvy and aware individual fall for a well-crafted hoax e-mail.

Some recent content sent to business people, either as spear-phishing scams or as spam, looked real enough that they could have incited even the most intelligent and discerning individuals to act upon the e-mail.

Example: Sending an order confirmation with full information on the order’s contents to someone who had never ordered the goods. The person’s first reaction would be to click the hyperlink and to dispute the order.

Example: A hoax sent to military personnel asked them to click the link to confirm their attendance in an important retirement party instead infected them with malware.

The Hosting Methods Evolved

A phishing attack can only exist once it reaches its destination audience and is ‘available’ for them to read and respond to it. This is phish hosting. The hosting of attacks is probably the one aspect to have consistently evolve, having introduced new methods for an attack to be kept alive.

Fraudsters have gone to great lengths to innovate in spoofing sites, exploiting content management systems, hijacking sites, using fast-flux proxies, bulletproof infrastructures, standalone attacks (using web form services to communicate stolen credentials), local HTML attack forms which open locally on the victim’s PC – all in the name of hosting phishing attacks that will not be easily blocked, detected or taken down.

Online vendors and the financial industry started taking phishing attacks a lot more seriously, developing measures to mitigate risks and fight back. The public has learned more and been made aware of phishing, repeatedly told by banks not to divulge their information and to be suspicious of any communication that requests them to enter their personal details.

Phishers are aware of the mechanisms being deployed to stop their attacks. As to not let any of these deter them from their efforts to make more cash, phishers have been embracing web application security research and use discovered vulnerabilities for hijacking websites and for maximum exposure for each attack.

RSA has already reported vulnerability exploits made to ensure mass hijacking of otherwise legitimate websites for the purposes of hosting phishing pages (e107 exploits, WordPress vulnerability – which is still unpatched and exploited today). The more committed a phisher is, the more inclined he would be to pay for exploits to be programmed by professional malware authors and use crafty ways to deliver an attack, host it and have the credentials stolen and sent to his drop (either a drop e-mail address or a drop routed from the attack’s URL).

Before

Now

Phishing pages requested the victim’s username and password.

Phishing pages request that users enter elaborate data sets, now including secret questions, contact details, payment card data, numbers found on identification documents (SSN, Driver’s license, passport number), and even demographic details: Age, DOB, Nationality.

Phishing pages only contained the phish data fields designed to harvest information and forward it to the hands of the fraudster.

Phishing pages also contain drive-by-downloads or infections points for Trojans or exploit kits.

Some phishing pages studied by RSA revealed a delayed-release type of operation, where a hijacked site began by displaying phishing, then added redirections to Trojan infection sites, and last, redirected users to explicit adult content sites harboring more malware.

Added Plug-ins

Older phishing kits were rather basic, often available free of charge, and almost always bugged by their writer who included handy scripts designed to have him share in the impending credentials harvest.

Newer phishing kits have evolved into more robust codes sold for money. Often, these elaborate kits are also the ones which include special plug-ins.  Some of these plug-ins include:

A spam crawler designed to help the phisher create hefty spam lists through large webmail service providers

An MiTM feature designed to check the validity of just-harvested credentials against the genuine bank’s website (quality control)

A script add-on to collect the victim’s basic system specs (screen resolution, browser version, victim’s time zone)

RSA has already reported about a web-based interface which generated phishing pages, ready for use online. This interface was a one-stop-shop, managed by one administrator who had ‘subscribers’ register to the service, providing them with e-commerce phishing necessities.

*This post is reprinted from the RSA November 2011 Monthly Online Fraud Report

Read More »
« Older Entries
Free WordPress Themes