Feeds

Phishers use less strident subject lines to deliver new cunning attacks

'SECURITY ALERT' wasn't: 'Statement available' is

SANS - Survey on application security programs

The use of exploit kits is allowing phishing fraudsters to develop scams that only rely on tricking prospective marks into clicking a link, rather than submitting all their details to a bogus website.

Many recent phishing runs spotted by Trend Micro have made use of the notorious Blackhole Exploit kit. The hacker favourite is used to automate the process of mounting drive-by-download style attacks from compromised (often legitimate) websites. Blackhole preys on browser exploits, Adobe software bugs and most recently the latest Java vulnerabilities, a particular successful strategy since third-party software frequently goes without updates.

By using the exploit kit in phishing emails, cybercrooks move away from the tricky process of coaxing marks into submitting data to bogus websites, traditionally pulled off using a bogus security alert from their bank as a lure, to simply tricking users to open an email and click a link.

The shift means that the subject matter and tone of phishing emails is changing. In addition, the traditional security advice about phishing emails is becoming out-dated, Trend warns.

Phishing messages of yesterday typically screamed "security alert", while modern messages are more subtle and feature subject lines such as "Your statement is available online", "Incoming payment received" and "Password reset notification".

"In many cases these messages are identical to the legitimate messages sent by the legitimate organisation," Trend Micro warns. "Sometimes, the only difference between the legitimate version of the email and the phished version is the bad link".

The use of banking Trojans, spread using exploits and vulnerabilities, such as ZeuS and Cridex has been going on for years. Banking trojans developed using cybercrime toolkits look for activity such as logins to financial websites. As well as appearing on compromised legitimate website surfers are getting exposed to exploit toolkits via their in-boxes, thanks to a shift in tactics by e-banking fraudsters.

Trend's research, published on Thursday, documents changing tactics for spreading banking trojans as well as explaining how standard anti-phishing advice is no longer valid, a factor that make its white-paper Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs (PDF) worth reviewing.

Trend looked at more than 200 separate spam runs featuring in excess of 40 organisations during Q2 2012. The spam campaigns claim to be from legitimate companies such as Intuit, LinkedIn, the US Postal Service (USPS), US Airways, Facebook, and PayPal, among others. Compromised sites were used and reused from one attack to another. Exploit methods were the same and the botnet networks used in many cases were also similar. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.