This report, “Hacktivism and the Case of Something Phishy,” offers insight on the latest global phishing and cybercrime trends.

1. F R A U D R E P O R T
HACKTIVISM AND THE CASE
OF SOMETHING PHISHY
May 2013
While it is true that most cyber attacks orchestrated by hacktivists focus on DDoS
onslaughts targeting authority-type entities and banks, all too many times they add
a sting to the operation and hack into immense databases containing personal user
information.
On their quest for notoriety and media attention to make a statement, critics say that
hacktivists tend to cross the line when they publicly release untold amounts of data,
providing links to the trove and facilitating its free-for-all download.
Some hacktivists will call out every target on their list and post their threats publicly and
well in advance, while those targeted will prepare to fend off the attack and advise users
as needed. But at the end of the day, it is often the innocent online user that takes the
hardest hit when their information is leaked across the Internet.
HACKTIVISTS OUT, PHISHERMEN IN
In one of the largest hacks perpetrated in the name of hacktivist ideals, the end result,
beyond the damaged brand reputation of a multinational corporation, was a public leak
of account information belonging to nearly 25 million Sony Entertainment users. That was
about a third of a previous leak of over 70 million accounts, also inflicted by hackers
operating in the name of an opinion they formed and acted upon.
Taking the Sony case as just one example, because hacktivist cases such as these have
been increasingly plaguing the Internet, it is clear that the one party that did not expect
the hack – other than Sony, of course – were the millions of ordinary users whose data
was offered up freely thereafter. Those same users were also the ones who did not have
advisors, lawyers and information security experts to help them recover from the actual
and potential damages of the hack and its possible effects on their identities and
personal finances.

2. page 2
For fraudsters, the large-scale hacks are like candy. Hacktivists will set up publicly
available download links for anyone to be able to see the exposed databases,
their hunting trophy, and end their part there. But as soon as the links are public,
cybercriminals and fraudsters will access and download it before it is taken down
by the hosting authorities. By that time, the real damage to the end user is done.
Large hacks containing a database replete with email addresses, not to mention payment
cards or other financial data, are an attractive reward for phishers to come for and discuss
in underground communities. Instead of having to do their own hacking, collecting and
stealing, they can enjoy the spoils and bank on the “freshly” dumped data, compliments
of zealous hacktivists, paving a shortcut to a variety of fraud scenarios including:
–– Monetizing gaming account credentials by selling them to other gamers
–– Enjoying a list of valid email addresses to target with phishing spam
–– Leading potential victims to phishing and malware sites and getting paid per install
–– Harvesting financial information that can be sold to fraudsters and CC shops
–– Using leaked and stolen data for fraud and identity theft
–– Checking what other accounts a user has, because as recent research shows,
61% of accounts are set-up with passwords used on other consumer accounts.
It’s easy to see how an attack that stems from idealistic motivations, targeting very large
entities and supposedly conceived in order to protect people’s rights to information,
ends up serving the fraudsters and flooding the Internet with confidential data. With the
variety of actors that gain access to information publicly posted online, hacktivists end
up inadvertently damaging the very people whose interests they claim to represent.
CONCLUSION
The number of phishing attacks recorded monthly is known to vary, fluctuating upwards
and downwards, and there’s limited capability to forecast a trend that is so dependent on
fraudster resources. Although totals are often tricky to predict, some seasonal trends do
repeat every year such as the holiday shopping season when a rise in phishing is almost
expected. Adding to that list, we can include large database hacks that release the
information on millions of users into the wild. Phishing attacks in April 2013 have so far
only shown a moderate increase over the previous month, but with constant headlines
such as the recent announcement of over 40,000 Facebook accounts allegedly hacked,
we may just see a rise before the quarter is out.

3. page 3
Phishing Attacks per Month
In April, RSA identified 26,902 attacks
launched worldwide, marking a 10%
increase in attack volume from March.
Number of Brands Attacked
In April, 311 brands were targeted in
phishing attacks, marking a 20% increase
from last month. Of the 311 targeted
brands, 52% endured five attacks or less.
0
10000
20000
30000
40000
50000
60000
Source:RSAAnti-FraudCommandCenter
35558
37878
51906
59406
49488
35440
33768
41834
29581 30151
27463
24347
26902
Apr12
May12
Jun12
Jul12
Aug12
Sep12
Oct12
Nov12
Dec12
Jan13
Feb13
Mar13
Apr13
0
50
100
150
200
250
300
350
Source:RSAAnti-FraudCommandCenter
288
298
259
242
290
314
269
284
257
291
257 260
311
Apr12
May12
Jun12
Jul12
Aug12
Sep12
Oct12
Nov12
Dec12
Jan13
Feb13
Mar13
Apr13

4. page 4
Top Countries by Attack Volume
The U.S. remained the top country on the
chart, targeted with 46% of the total
phishing volume in April. The UK
accounted for 11% of the attack volume,
a 2% decline from March while South
Africa remained the same with 9% of
attack volume.
UKGermanyChinaCanadaSouth KoreaAustraliaa
United Kingdom 11%
U.S. 46%
India 8%
South Africa 9%
Canada 4%
Netherlands 4%
48 Other Countries 18%
US Bank Types Attacked
U.S. nationwide banks continued to be
targeted by the highest volume of phishing
attacks (73%) in April, while regional banks
saw a slight decline from 20% to 12%.
0
20
40
60
80
100
Source:RSAAnti-FraudCommandCenter
7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17% 15%
11%
18%
12%
15% 15% 14% 14%
9% 15%
15% 23% 23% 12%
82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73%
Apr12
May12
Jun12
Jul12
Aug12
Sep12
Oct12
Nov12
Dec12
Jan13
Feb13
Mar13
Apr13

5. page 5
BIndiaNetherlandsCanadaItalyChinaS AfricaUS
Top Countries by Attacked Brands
U.S. brands were targeted by 29% of total
phishing volume in April, followed by
brands in the UK at 10%. Brands in India,
Australia and Brazil were collectively
targeted by 15% of phishing volume.
Top Hosting Countries
The U.S. remained the top hosting country
in April, hosting 47% of global phishing
attacks (down 4%). Germany, Canada, the
Netherlands, UK and Russia together
hosted just over 20% of additional volume. U.S. 47%
61 Other Countries 32%
Germany 6%
Canada 5%
Russia 3%
Netherlands 3%
United Kingdom 4%
BraIndiaNetherlandsCanadaItalyChinaS AfricaUSa
United Kingdom 10%
49 Other Countries 46%
U.S. 29%
Brazil 4%
India 7%
Australia 4%

6. www.emc.com/rsa
CONTACT US
To learn more about how RSA
products, services, and solutions help
solve your business and IT challenges
contact your local representative or
authorized reseller – or visit us at
www.emc.com/rsa
©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. MAY RPT 0513