Spear-Phishing Gang Resurfaces, Nets Big Catch
A prolific phishing gang known for using sophisticated and targeted e-mail attacks to siphon cash from small to mid-sized business bank accounts appears to be back in operation after more than a 5-month hiatus, security experts warn.
From Feb. 2007 to Jan 2009, analysts at Sterling, Va., based security intelligence firm iDefense tracked 38 separate phishing campaigns from am Eastern European gang they simply call "Group A." iDefense believes this group was one of two responsible for a series of successful phishing attacks that spoofed the U.S. Better Business Bureau (BBB), the U.S. Department of Justice, the IRS, as well as Suntrust and payroll giant ADP. Last summer, authorities in Europe and Romania are thought to have arrested most members of a rival BBB phishing gang that iDefense called Group B.
While the type of tricks that Group A employs once victims are hooked have grown more sophisticated, the initial lure used to snare people hasn't changed: In each attack, the scammers send out "spear phishing" e-mail messages (so called because they use the victim's name in the message) and urge the recipient to click on an attachment.
The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks. If the victim logs in to a bank that requires so-called two-factor authentication -- such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information. The attackers typically begin initiating wire transfers out of the victim accounts shortly after the credentials are stolen, said iDefense analyst Mike LaPilla.
"These guys are back with a bang, and they have a new Trojan that's totally different than before," LaPilla said.
Ironically, the lure used in the most recent spear-phishing attack by Group A is a message alerting the recipient that a wire transfer from their account was successful, with a note "please check the statement attached and let me know if everything is correct" (see image below for a screen shot of the message).
iDefense estimates that at least 880 people -- most of them employed at Fortune 500 and small- to mid-sized businesses in the United States -- have fallen for this latest scam, which began on June 4. Most reports of loss are in the high thousands to tens of thousands of dollars per victim, the company said.
Phishing attacks on small business owners can be extremely costly and devastating, targeted or otherwise. Consumers who bank online are covered by a statute called Regulation E, which generally holds the consumer harmless for money stolen from their accounts via cyber crime.
Business owners who fall for phishing scams, on the other hand, are not covered by this regulation, and will more than likely be out of luck if a scammer empties their business account. And in many cases, it can take only a few moments for that to happen: LaPilla said some versions of data-stealing malware now being used in conjunction with phishing attacks immediately send the attackers any stolen credentials via instant message.
Update, June 12, 12:22 p.m. ET: Someone pointed out that the SANS Internet Storm Center blog featured an item about this attack on June 4. Here is a link to that post.
June 10, 2009; 6:11 PM ET
Categories: Fraud , Latest Warnings , Safety Tips | Tags: idefense, spear phishing
Save & Share: Previous: Adobe Issues Security Updates for Reader, Acrobat
Next: Default Passwords Led to $55 Million in Bogus Phone Charges
Posted by: CB12 | June 12, 2009 2:02 PM | Report abuse
Posted by: SunDevilGolfer | June 15, 2009 12:15 PM | Report abuse
The comments to this entry are closed.