Attackers Sharpen Their Spear for Phishing Operations

Anthony Freed
By | January 16, 2013

Posted in: Network Security Trends

Typically, cyber criminals engaged in phishing operations have cast wide nets designed to ensnare as many victims as possible, then proceeded to sort out the high value targets from the rest. But these sorts of large-scale attempts leave the attackers more prone to discovery, and thus their operations may in turn be less successful. The longer their campaigns can go undetected, the higher the chances they will catch bigger fish. That's the idea behind "bouncer list phishing" - a method of targeting that allows phishers to focus their operations on a select group of individuals, prevent attacks on non-targeted entities, and vastly improve the outcomes from their endeavors.

With this method, when potential victims attempt to access a malicious webpage, they are cross-referenced with a preferred target list established by the attackers prior to initiating the campaign. Those who are not included on the target list are merely redirected away from the malicious webpage, usually to a “404 page not found” error message. In contrast to the broader IP address blocking techniques that have been used in other phishing operations to hone the attacks, bouncer list phishing sorts out the potential victims with a form of target whitelisting.

"When victims access the phishing link, their name has to be on the list and their 'ID' value is verified on-the-fly as soon as they attempt to browse to the URL. After a scan of the 'bouncer list', unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for," wrote Limor Kessem, a Cybercrime and Online Fraud Communications Specialist with RSA.

Those who are on the whitelist have a different experience. They are presented with a malicious webpage from the compromised website being employed in the attack where their login credentials are harvested.

"With this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt take-downs of such attacks," Kessem said.

While this change in tactics for targeting may seem to be a minor shift, it is nonetheless significant when considering the notable increase in phishing operations detected over the last year. Kessem pointed out that RSA researchers found that phishing attacks rose 59% year over year, up from 279,580 known attacks in 2011 to 445,004 in 2012, with an estimated cost of $1.5 billion dollars. Techniques designed to conceal better phishing operations, such as bouncer list phishing, create an additional challenge for the security industry.

"Modern-day phishing kits are written with increasing complexity and sophistication, authored by programmers who adapt the kits to the phisher’s needs. This new bouncer-list function is a perfect example of this trend," Kessem noted.

You May Also Be Interested In: