Network News

X My Profile
View More Activity

Spear-Phishing Gang Resurfaces, Nets Big Catch

A prolific phishing gang known for using sophisticated and targeted e-mail attacks to siphon cash from small to mid-sized business bank accounts appears to be back in operation after more than a 5-month hiatus, security experts warn.

From Feb. 2007 to Jan 2009, analysts at Sterling, Va., based security intelligence firm iDefense tracked 38 separate phishing campaigns from am Eastern European gang they simply call "Group A." iDefense believes this group was one of two responsible for a series of successful phishing attacks that spoofed the U.S. Better Business Bureau (BBB), the U.S. Department of Justice, the IRS, as well as Suntrust and payroll giant ADP. Last summer, authorities in Europe and Romania are thought to have arrested most members of a rival BBB phishing gang that iDefense called Group B.

While the type of tricks that Group A employs once victims are hooked have grown more sophisticated, the initial lure used to snare people hasn't changed: In each attack, the scammers send out "spear phishing" e-mail messages (so called because they use the victim's name in the message) and urge the recipient to click on an attachment.

The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks. If the victim logs in to a bank that requires so-called two-factor authentication -- such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information. The attackers typically begin initiating wire transfers out of the victim accounts shortly after the credentials are stolen, said iDefense analyst Mike LaPilla.

"These guys are back with a bang, and they have a new Trojan that's totally different than before," LaPilla said.

Ironically, the lure used in the most recent spear-phishing attack by Group A is a message alerting the recipient that a wire transfer from their account was successful, with a note "please check the statement attached and let me know if everything is correct" (see image below for a screen shot of the message).


iDefense estimates that at least 880 people -- most of them employed at Fortune 500 and small- to mid-sized businesses in the United States -- have fallen for this latest scam, which began on June 4. Most reports of loss are in the high thousands to tens of thousands of dollars per victim, the company said.

Phishing attacks on small business owners can be extremely costly and devastating, targeted or otherwise. Consumers who bank online are covered by a statute called Regulation E, which generally holds the consumer harmless for money stolen from their accounts via cyber crime.

Business owners who fall for phishing scams, on the other hand, are not covered by this regulation, and will more than likely be out of luck if a scammer empties their business account. And in many cases, it can take only a few moments for that to happen: LaPilla said some versions of data-stealing malware now being used in conjunction with phishing attacks immediately send the attackers any stolen credentials via instant message.

Update, June 12, 12:22 p.m. ET: Someone pointed out that the SANS Internet Storm Center blog featured an item about this attack on June 4. Here is a link to that post.

By Brian Krebs  |  June 10, 2009; 6:11 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips  | Tags: idefense, spear phishing  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Adobe Issues Security Updates for Reader, Acrobat
Next: Default Passwords Led to $55 Million in Bogus Phone Charges


Truly, if there was any doubt that Internet scams *do* have an economic impact on the U.S., this type of operation should remove that doubt and spur on significant and severe countermeasures.

Posted by: CB12 | June 12, 2009 2:02 PM | Report abuse

Yes, these costs spread throughout the entire economy and end up costing everyone in the US. When banks cover the losses, end-users end up footing the bill. Unfortunately, the better these scams get and more evolved they are, the more costs for everyone. These types of phishing scams are EVERYWHERE online and they continue to work.

This particular scam from 'Group A' is hitting more financially secure folks and hitting them hard. Usually phishing scams work much slower than this example. This scam provides an almost instant hit to the victim. These types of scams are extremely scary, because the victim really has no recourse when they realize they may have been doped. In a normal phishing scam, the scammers are after personal information to eventually steal from the victim. This takes time, and by the time the victim's identity is targeted for the theft, the victim could have placed a fraud alert/credit freeze on their credit reports. Find out what to do if you think you have been a victim of an average phishing scam here at

Definitely a scary scam. One to stay very far away from.

Posted by: SunDevilGolfer | June 15, 2009 12:15 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company