Just when you thought phishers had exhausted all avenues of innovation, a new tactic has emerged in attacks against financial institutions bringing the level of targeting and geo-filtering to precise new levels. Dubbed bouncer list phishing by RSA Security, these attack kits are built off stolen email lists that are filtered for particular targets, such as a regional bank.
Each recipient is given a user ID value and the attacker sends them a unique URL within the phishing email. While the filtering and targeting may be noteworthy, what’s innovative here is that anyone not on the attacker’s radar who happens upon the phishing page without an ID is directed to a 404 page not found site; the attack site isn’t even rendered, making detection and blacklisting a challenge.
“We are qualifying millions of URLs on a daily basis. Landing on a 404 makes it a needle in a haystack and the needle is invisible,” said Daniel Cohen, head of business development for RSA’s online threats managed services. “But there are ways to detect attacks, such as tracking abuse mailboxes or seeing original emails being reported. But if you don’t have the original URL with ID, or the full phishing path, you can’t track this.”
RSA said it first spotted a bouncer list attack against a South African bank in which attackers were harvesting online banking credentials; all of the attacks RSA has monitored so far have been financially related but cautioned that there can be other applications for this type of attack against any industry and against any type of data.
“Unlike the usual IP-restricted entry that many older [phishing] kits used, this is a true black hat whitelist,” wrote RSA’s Limor Kessem in a blogpost. “Traditional phishers like to cast as wide of a net as possible, but with this tactic, the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt takedowns of such attacks.”
In the South African attack, more than 3,000 email addresses were phished, likely bought underground and collated from a few spam lists or data breach collections, RSA said. The lists are alphabetized and there are lists for each letter. When victims click on the link in the phishing email, their address must be on the pre-approved list and their ID value is verified in real time as they’re sent to the URL. Once verified, the attack generates an attack page where the victim is sent and asked to enter their credentials.
“We’ve seen attacks in the past do filtering of the victims using IP geo-filtering. The reason they do this: the attacker wants to get good targeted data,” Cohen said, adding that this particular campaign’s success rate was low, in the single digits. “They don’t want the whole world, just a geography. The mailing lists in this attack were filtered for just the co.za domain. There were files for every letter of the alphabet and all of those people were blasted.”
In addition, the kit found that the attackers were having success hijacking legitimate websites vulnerable to WordPress plug-in vulnerabilities to use as attack sites. Attackers upload a Web shell to the hijacked site and can manage their campaigns from there.
While admins need to keep up to date on patches the latest version of open source content management systems such as WordPress being exploited here, experts said that user education must complement those efforts.
“The increased sophistication and prevalence of phishing kits underscore the need to train employees to recognize all types of phishing emails,” said Scott Greaux, vice president of product management and services at PhishMe. “A savvy user will be able to recognize the signs of a suspicious email – regardless of whether it’s from a phishing kit or is a traditional spear phish – and react appropriately. User education continues to be the key to defending the enterprise from phishing attacks.”