According to research posted on the RSA blog, there are advances to the attacks made by the Russian gang known as Rock Phish. Sites created by the gang now include Malware that is served up in the background without any action required by the visitor. These drive-by-downloading attacks are giving new dimension to their already famous Phishing attacks.
(Image: J.Anderson) Rock Phish...Russian criminals or groovy hippies?
Not much is known about the Rock Phish group. They are believed to hail from Russia, and are often linked to several Phishing campaigns and criminal activities. The problem is while they do their fair share of dirty deeds, copycats mimic their patterns, making it almost impossible to list the number of crimes the group has pulled off. They were the first gang to use bot-nets in Phishing attacks to increase the length of the campaign and are innovators in Spam filter evasion.
Uriel Maimon, Senior Researcher in the Office of the CTO at RSA posted a write up on the new attacks.
“The victim is duped into visiting a Phishing site. However, whether or not the victim surrenders his/her credentials into the site is irrelevant (many people click on Phishing links but do not fill in meaningful information): with this new attack-twist, the victim will still be infected with a Trojan horse,” Maimon said.
The process, drive-by-downloading, is where vulnerabilities in the users operating system are exploited. After scanning, if a vulnerability is located, it is exploited by downloading Malware onto the system. The user needs only to visit the site to fall victim to the attack.
“This particular case of drive-by infection was masked particularly well. The code that attempted to infect the machine was hosted on a domain named in such a way that it blatantly infringed on Google's trademark, but with the end-result that it made advanced users or heuristic security software more likely to allow content from the domain. The URL itself was also dynamically generated so blacklisting it or adding it to a trivial pattern match would fail.”
The Trojan used in the attack is called Zeus. According to the RSA blog, Zeus is annoying and malicious. Kits available online including Zeus go for about $700. The cost is worth it to some criminals, including the rock Phish group. “In the past 6 months RSA's Anti-Fraud Command Center has detected more than 150 different uses of the Zeus kit, each one infecting on average roughly 4,000 different computers a day.”
“The kit purchased is a binary generator. Each use creates a new binary file, and these files are radically different from each other -- making them notoriously difficult for anti-virus or security software to detect. To date very few variants have had effective anti-virus signatures against them and each use of the kit usually makes existing signatures ineffective,” Maimon said.
Drive-by-downloading is a somewhat recent tactic used by criminals online. There are also a few ways to avoid it. One such example is NoScript, a popular browser add-on that will prevent these attacks, or at the least alert the user to potential threats.
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!