APWG Reports Criminals Focusing on Financial Services and Succeeding
“These criminals are rapidly figuring out how the financial industry works, where there is big money and large transfers, so they can basically do large wires out of these accounts without setting off fraud alerts.” Linda McGlasson, Managing Editor, Bank Info Security, quoting Dave Jevans, Chairman of the APWG.
The Anti-Phishing Working Group (APWG) has published phishing activity trend reports for years. They recently released their report for Q3 2009. It is the result of their scanning more than 22 million unique PCs during the three month period — which seems like a useful sample size. More than 11 million of those PCs were infected with malicious software, and almost 16% (1.87 million) of those were infected with banking trojans or password stealers. Financial services security and risk management professionals need to keep this information front-of-mind as we deal with problem-solving across a broad spectrum of issues and situations.
I strongly recommend that you invest, or continue to invest creativity and sustained energy in ensuring that your security staff, as well as your entire workforce understand that “phishing” is (what APWG described as) a complicated “criminal mechanism employing both social engineering and technical subterfuge to steal” sensitive and valuable information. It is a “big deal” because it continues to be successful on a scale that delivers attractive profits to criminals at what continues to be minimal risk.
In its “3rd Quarter ‘09 Phishing Activity Trends Summary” the report included:
- Financial Services rose back to the top of most targeted industry sectors in Q3 after a brief displacement by Payment Services in Q1 & Q2 of 2009. 54% of all phishing targeted financial services during Q3, 2009 [Page. 7]
- Over the quarter, the proportion of crimeware‐specific (malicious code designed specifically against financial institutions’ customers) malware remained consistent, while data‐stealing malware rose. [See page 8]
- The number of rogueware variants fell as gangs turned to ransomware to extort money from users. [See page 9]
- The total number of infected computers in Q3, represented more than 48.35 percent of the total sample of scanned computers. [See page 10]
Overall, the criminal activity they describe in this report is composed of two high level components:
Social Engineering Component: Personal identity data and account credentials are prominent examples of their targets. Criminals are increasingly sophisticated in their social-engineering efforts using spoofed email that appears to come from legitimate businesses and agencies to direct financial services employees, as well as customers to counterfeit websites designed to trick the recipient into divulging identity (starting with user name-password pairs) and financial information.
Technical Component: Criminals plant malicious software (malware) onto PCs to steal credentials directly. This is often carried out using a combination of software and remote command-and-control systems to intercept user’s identity information — usually their login account name(s) and password(s). They use a variety of technical means to corrupt “local navigational infrastructures” — hosts files, DNS, or, look-alike or obfuscated target server names, to misdirect users to carefully-crafted counterfeit websites. Another approach to credential and other identity information is to employ phisher‐controlled or phisher-rented proxies used to monitor and intercept users’ keystrokes [See page 2 for more detail]. Because of the diversity of potent methods of employing malicious software, the APWG used to include monthly counts of ‘password‐stealing malicious code URLs’ and ‘password stealing malicious code unique applications’ in their reports. Their researchers have determined that this has “proven systematically unreliable.” In its place, they now report on “Detected Crimeware,” which they believe provides a “more precisely descriptive measure of malevolent code trends” [See page 8].
They define “crimeware attacks” as:
“…designed with the intent of collecting information on the end‐user in order to steal those usersʹ credentials. Unlike most generic keyloggers, phishing‐based keyloggers have tracking components which attempt to monitor specific actions (and specific organizations, most importantly financial institutions, online retailers, and e‐commerce merchants) in order to target specific information. The most common types of information are: access to financial‐based websites, ecommerce sites, and web‐based mail sites.”
They define “Malevolent Software” as:
- “Crimeware (data-stealing malicious code designed specifically to be used to victimize financial institutions’ customers and to co-opt those institutions’ identities);
- Data Stealing/Generic Trojans (code designed to send information from the infected machine, control it, and open backdoors on it);
- Other Malware (the remainder of malicious code commonly encountered in the field such as auto-replicating worms, dialers for telephone charge-back scams, etc.)” [Page 8]
Unless users understand that serious phishing is composed of many facets can we expect them to resist criminal’s efforts on this front. User-awareness and training is a sub-optimal solution to resisting criminal phishing attacks. It seems, though, to be an essential component of our risk-management plans on this front. The phish-resisting vendor technology and services are maturing, but they are still only a fraction — maybe even a small fraction — of what I believe would be a risk-appropriate level of due diligence in the financial services industry today.
The report also reports that:
- More than 300 brands per month were hijacked by phishing campaigns. [Page 3]
- More than 60% of malicious phishing web sites include some form of user’s intended target web site name in its URL. [Page 3]
- 98.7% of malicious phishing web sites use a hostname instead of just an IP address. [Page 3]
- 99.94% of malicious phishing web sites sites are accessed using HTTP via TCP port 80 (which needs to be “open” to support your Internet-enabled business activities). [Page 3]
- Criminals employ round 150 unique URLs to attack each targeted brand. [Page 5]
So, what should we make of all this? One way to view this is that it helps to explain what the FDIC was reporting about increasing thefts via electronic funds transfers (EFT) last year. In 2009, the Federal Deposit Insurance Corporation (FDIC) reported that it had detected an increase in the number of unauthorized electronic funds transfers (EFT) as well as an increase in the resulting direct financial losses. These EFTs were placed through automated clearing houses (ACH) and wire transfers. The FDIC also reported that in most of these cases, the fraudulent transfers were made using stolen credentials.
Credential theft is a big criminal business. It plays out in many ways. One way is a direct assault on financial services enterprises — because that is where so much money is concentrated. I believe that we need to continue increasing and fine-tuning our efforts to ensure that our leadership and our workforce understand what they are up against. In order to meet our threshold due diligence obligations, we are going to be making additional financial and human investments to resist these types of attacks. What do you think?
“Phishing Trends: Numbers up, Corporate Accounts Targeted Analyst: ‘I Think We’re in for a Challenging Year.'” January 27, 2010. By Linda McGlasson, Managing Editor, Bank Info Security.
“3rd Quarter ‘09 Phishing Activity Trends Summary.” By the Anti-Phishing Working Group.
“FDIC: Alert About Fraudulent Electronic Funds Transfers (EFTs).” August 26, 2009.