SlideShare une entreprise Scribd logo

RSA Monthly Online Fraud Report – April 2014

E
EMC

The RSA Monthly Online Fraud Report ( titled : The current state of Cybercrime 2014 : Global Malware outlook ) examines the latest global phishing and cybercrime trends.

TechnologieActualités & Politique
1  sur  5
Télécharger pour lire hors ligne
page 1R S A M O N T H LY F R A U D R E P O R T F R A U D R E P O R T THE CURRENT STATE OF CYBERCRIME 2014: GLOBAL MALWARE OUTLOOK April 2014 APT ATTACKS REMAIN UNABATED AND POS MALWARE ATTACKS BECOME COMMON Cybercriminals are finding sophisticated new ways to make botnets stealthier and more durable, and to shield the data stolen during attacks. At the same time, they’re also generating significant returns from unsophisticated hit-and-run POS malware attacks. Cyber-espionage attacks continue to occur with tactics that are largely unchanged and new players in the space being identified. Stealthier, more durable botnets Botnets are used by fraudsters, cybercriminals and hacktivists to host their infrastructure and launch attacks such as DDoS to bring down the websites of banks, government agencies and other high-profile organizations. The large number of zombie computers in a typical botnet means an attack will move around, making it difficult to find the source and shut the attack down. Even so, cybercriminals are developing even more robust botnets that can remain active for longer before being discovered. –– Botnets are being created that behave as similarly as possible to legitimate software and take considerable time and effort to detect. This has changed the way defenders focus their efforts, such as detecting when an infected computer communicates with a domain that’s been used for cybercrime in the past. –– Hosting a botnet’s command-and-control center in a Tor-based network (where each node adds a layer of encryption as traffic passes) obfuscates the server’s location and makes it much harder to take it down.
page 2R S A M O N T H LY F R A U D R E P O R T –– Cybercriminals are building more resilient peer-to-peer botnets, populated by bots that talk to each other, with no central control point. If one bot (or peer) in a peer-to-peer botnet goes down, another will take over, extending the life of the botnet using business continuity techniques. –– An alternative business continuity–led approach involves controlling a botnet from a mobile device using SMS messages. For example, some have speculated that the cyber attack on South Korean banks in early 2013 may have been a multi-vector attack that involved Android phones located in China, Korea or both1 . With this type of botnet, if the primary command-and-control center gets shut down, the cybercriminal can redirect the botnet to an alternative center via SMS. Attackers shield stolen data The cybercrime world is like an arms race: cybercriminals pursue a course of action until the defenders work out how to combat it, at which point the cybercriminals change tack. An example of this is the use of password-protected zip files by APT attackers to exfiltrate stolen data. The challenge for the defender is to crack the password on the zip file to see what was taken. Because attackers tend to work from a script or within a structured framework, they will often reuse a password, enabling the defender to link attacks and open subsequent zip files with ease. Once the attacker realizes they’ve been rumbled, they’ll change something about their process in order to regain the upper hand — for example, switching from zip files to rar files (which are more difficult to crack), or using asymmetric encryption algorithms that are harder for defenders to reverse engineer. This results in the defender losing the ability to identify the stolen data and establish relationships between attacks, until he or she manages to crack the next one. Cyber espionage attacks Cyber espionage attacks have continued unabated in the last, with attack methodology largely centering around spear phishing attacks, in which specific internal personnel are targeted with documents containing malicious Trojans to allow the attacker to establish a foothold in the network. Also popular last year were “Watering Hole2 ” attacks, or strategic web compromise, in which the attacker compromises a website that is of business interest to a target and uses it as an exploit platform to intrude into the target network. Attacker malware varies in sophistication, but simple methods continue to be successful for the most part. While the frequency of reported incidents appears to have increased, this is likely due to a move towards intelligence-driven detection, rather than an actual increase in attacks. Additionally, new nation-state players such as the “Hangover” campaign3 out of India and the “Snake” campaign4 in Russia have made recent headlines and caused a shift in viewing cyber espionage as a threat originating from specific regions to a more global one. Hit-and-run POS malware attacks Hit-and-run attacks are carried out against retailers using point-of-sale (POS) malware, much of which is based on the free-to-use leaked code for Dexter and Alina malware. ChewBacca, which was uncovered by RSA in January 2014, and BlackPOS are other well-known examples of POS malware. This type of malware infects POS terminals, scraping the terminals’ memory for the payment card and personal data — customers’ names, card numbers, expiration dates and card verification value (CVV) information — that can be used to clone cards. 1 Source: RSA Firstwatch blog “Tales From the Darkside: Mobile Malware Brings Down Korean Banks”, March 2013 (https://community.emc.com/community/connect/rsaxchange/netwitness/ blog/2013/03/21/tales-from-the-darkside-mobile-malware-brings-down-korean-banks) 2 https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/ 3 http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack- Infrastructure_FINAL_Web.pdf 4 http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf
page 3R S A M O N T H LY F R A U D R E P O R T POS malware does this by searching for simple regular expressions for card magnetic stripe data. When a card number is found, it is extracted and logged. Even when a retailer is compliant with PCI DSS, unless data is encrypted or tokenized at the moment of capture at the POS terminal, there’s a short window of opportunity during which it can be stolen in readable form. This type of POS malware was used during the very high-profile attack against several large retailers late last year that affected tens of millions of card holders. The cost to financial institutions has so far been estimated at over $200m, and that only takes into consideration expenses for actions such as notification and card reissuance. That still does not account for fraudulent purchases making it a figure that is likely to increase in the long term. These attacks have mainly been confined to countries such as the U.S., where EMV technology is not yet in widespread use. Referral abuse malware Some common breeds of malware were on the rise for inciting referral abuse in 2013. The malware is custom-designed to target corporations that pay cash to affiliate referrers for each installation of the target’s software. This type of customized malware is written specifically to install software on a victim PC under a referrer’s identity, make the infected machine click on ads that pay pennies per click, and direct it to purchase “likes” on social media. In August 2013, RSA Research discovered a variant of the Zbot Trojan being used in referral abuse5 . The typical charter of Zbot has been to attempt to swipe passwords, but this variant was also programmed to check for availability of Instagram usernames – likely in an effort to create an army of fake Instagram users that can be sold as followers to help individual users or businesses create an image of popularity. The same Zbot variant was also capable of SEO poisoning to help boost keyword rankings, likely in an effort to push its own content to the top of search engine results. These rank-abuse promoted pages often contain malicious content to spread additional malware. t2014 OUTLOOK: Malware Continues to Spawn New Waves of Attacks From POS malware to referral abuse, cybercriminals are continually in search of new approaches to monetize their bots. At the same time they seek to spawn new attacks, they are also creating more bulletproof infrastructure on the backend. They are moving their infrastructure to P2P and Tor-based networks to evade detection. They are changing the methods they use to mask stolen data, making it more difficult for researchers to reverse engineer and understand the methods being used behind prominent cyber attacks. Advancements in cybercrime technology and infrastructure will only continue. For example, given the computing power contained in a smartphone and criminals’ willingness to adopt new technology, it is likely we will witness more mobile-phone-based botnets and command-and-control centers over the coming year. Also, with the scale of several high-profile data breaches, we are likely to see a shift in the U.S. market towards adoption of EMV payment cards. It will be slow, but 2014 will be a pivotal year in making the move. Regulations such as PCI-DSS will be re-evaluated and lead to stricter guidance for retailers to implement encryption or tokenization at the point of sale. Until there is a major industry change, there is little reason to expect criminals to stop using POS malware–based attacks against retailers, given the enormous returns that are possible from this relatively unsophisticated, easy-to-obtain malware. 5 https://blogs.rsa.com/new-zbot-variant-builds-instagram-army/
page 4R S A M O N T H LY F R A U D R E P O R T Phishing Attacks per Month RSA identified 42,537 phishing attacks in March, marking a 15% increase from February’s attack numbers. This also represents a 75% increase from the number of attacks a year ago. US Bank Types Attacked Nationwide banks continued to be the most targeted by phishing with 61% of total volume in March, while regional banks saw a sharp spike in attacks – jumping from 5% to 30% compared to February. Top Countries by Attack Volume The U.S. remained the most targeted country in March with an overwhelming 67% of global phishing volume, followed by the UK, the Netherlands, and India. 42,537 Attacks Credit Unions Regional National 67% 10% 6% 3% Netherlands India UK U.S. APRIL 2014 Source: RSA Anti-Fraud Command Center
www.emc.com/rsa CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa Top Countries by Attacked Brands Over 50% of phishing attacks in March were targeted at brands in the U.S., UK, India, Australia and Canada. Top Hosting Countries The U.S. hosted 34% of global phishing attacks in March, followed by Germany, the Netherlands, Italy and Turkey. ©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. APR RPT 0314 9% U.S. UK 28% 5% 5%7% 34% GLOBAL PHISHING LOSSES MARCH 2014

Recommandé

Analyst Report: Clearing the Clouds
Analyst Report: Clearing the Clouds Analyst Report: Clearing the Clouds
Analyst Report: Clearing the Clouds
EMC
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
EMC
 
EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2
EMC
 
8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js
CMBenard
 
Gdp and economic indicators
Gdp and economic indicatorsGdp and economic indicators
Gdp and economic indicators
Travis Klein
 
Tumanyan
TumanyanTumanyan
Tumanyan
tatevabrahamyan
 
Louise Bourgeois
Louise BourgeoisLouise Bourgeois
Louise Bourgeois
Dax Vorona
 
Conditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
Conditions for Stretched Hosts Cluster Support on EMC VPLEX MetroConditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
Conditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
EMC
 

Recommandé

Analyst Report: Clearing the Clouds
Analyst Report: Clearing the Clouds Analyst Report: Clearing the Clouds
Analyst Report: Clearing the Clouds
EMC
 
Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore! Your Data Center Boundaries Don’t Exist Anymore!
Your Data Center Boundaries Don’t Exist Anymore!
EMC
 
EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2 EMC Greenplum Database version 4.2
EMC Greenplum Database version 4.2
EMC
 
8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js8.presentatie bedrijven.110708js
8.presentatie bedrijven.110708js
CMBenard
 
Gdp and economic indicators
Gdp and economic indicatorsGdp and economic indicators
Gdp and economic indicators
Travis Klein
 
Tumanyan
TumanyanTumanyan
Tumanyan
tatevabrahamyan
 
Louise Bourgeois
Louise BourgeoisLouise Bourgeois
Louise Bourgeois
Dax Vorona
 
Conditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
Conditions for Stretched Hosts Cluster Support on EMC VPLEX MetroConditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
Conditions for Stretched Hosts Cluster Support on EMC VPLEX Metro
EMC
 
50 states
50 states50 states
50 states
Jazzyluv14
 
Slideshare
Slideshare Slideshare
Slideshare
ludmilaartish
 
Mit2 092 f09_lec05
Mit2 092 f09_lec05Mit2 092 f09_lec05
Mit2 092 f09_lec05
Rahman Hakim
 
The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
EMC
 
Wed greek contributions
Wed greek contributionsWed greek contributions
Wed greek contributions
Travis Klein
 
17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων
Xristos Lyg
 
Swipp Brochure
Swipp BrochureSwipp Brochure
Swipp Brochure
Swipp
 
AEEF MLS - Market Report Q2 2015
AEEF MLS - Market Report Q2 2015AEEF MLS - Market Report Q2 2015
AEEF MLS - Market Report Q2 2015
Costin Ciora
 
English grammar
English grammarEnglish grammar
English grammar
Patricia de Borja
 
Jose esteves 1
Jose esteves 1Jose esteves 1
Jose esteves 1
Susana Valente
 
Insaat kursu-catalca
Insaat kursu-catalcaInsaat kursu-catalca
Insaat kursu-catalca
sersld54
 
Insaat kursu-tuzla
Insaat kursu-tuzlaInsaat kursu-tuzla
Insaat kursu-tuzla
sersld54
 
Tuesday marginal analysis
Tuesday marginal analysisTuesday marginal analysis
Tuesday marginal analysis
Travis Klein
 
教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt
浩哲 武
 
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
EMC
 
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
EMC
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
EMC
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
EMC
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
EMC
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
EMC
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
EMC
 

Contenu connexe

En vedette

The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
EMC
 
Wed greek contributions
Wed greek contributionsWed greek contributions
Wed greek contributions
Travis Klein
 
17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων
Xristos Lyg
 
Insaat kursu-catalca
Insaat kursu-catalcaInsaat kursu-catalca
Insaat kursu-catalca
sersld54
 
Insaat kursu-tuzla
Insaat kursu-tuzlaInsaat kursu-tuzla
Insaat kursu-tuzla
sersld54
 
Tuesday marginal analysis
Tuesday marginal analysisTuesday marginal analysis
Tuesday marginal analysis
Travis Klein
 
教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt
浩哲 武
 

En vedette (15)

50 states
50 states50 states
50 states
 
Slideshare
Slideshare Slideshare
Slideshare
 
Mit2 092 f09_lec05
Mit2 092 f09_lec05Mit2 092 f09_lec05
Mit2 092 f09_lec05
 
The Industrial Internet@Work
The Industrial Internet@WorkThe Industrial Internet@Work
The Industrial Internet@Work
 
Wed greek contributions
Wed greek contributionsWed greek contributions
Wed greek contributions
 
17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων17 λειτουργια πεπτικου - ανιχνευση ουσιων
17 λειτουργια πεπτικου - ανιχνευση ουσιων
 
Swipp Brochure
Swipp BrochureSwipp Brochure
Swipp Brochure
 
AEEF MLS - Market Report Q2 2015
AEEF MLS - Market Report Q2 2015AEEF MLS - Market Report Q2 2015
AEEF MLS - Market Report Q2 2015
 
English grammar
English grammarEnglish grammar
English grammar
 
Jose esteves 1
Jose esteves 1Jose esteves 1
Jose esteves 1
 
Insaat kursu-catalca
Insaat kursu-catalcaInsaat kursu-catalca
Insaat kursu-catalca
 
Insaat kursu-tuzla
Insaat kursu-tuzlaInsaat kursu-tuzla
Insaat kursu-tuzla
 
Tuesday marginal analysis
Tuesday marginal analysisTuesday marginal analysis
Tuesday marginal analysis
 
教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt教案分享 選出一樣的動物Ppt
教案分享 選出一樣的動物Ppt
 
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
RSA Laboratories' Frequently Asked Questions About Today's Cryptography, Vers...
 

Plus de EMC

Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
EMC
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
EMC
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
EMC
 

Plus de EMC (20)

INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUDINDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
INDUSTRY-LEADING TECHNOLOGY FOR LONG TERM RETENTION OF BACKUPS IN THE CLOUD
 
Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote Cloud Foundry Summit Berlin Keynote
Cloud Foundry Summit Berlin Keynote
 
EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX EMC GLOBAL DATA PROTECTION INDEX
EMC GLOBAL DATA PROTECTION INDEX
 
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIOTransforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
Transforming Desktop Virtualization with Citrix XenDesktop and EMC XtremIO
 
Citrix ready-webinar-xtremio
Citrix ready-webinar-xtremioCitrix ready-webinar-xtremio
Citrix ready-webinar-xtremio
 
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
EMC FORUM RESEARCH GLOBAL RESULTS - 10,451 RESPONSES ACROSS 33 COUNTRIES
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
Modern infrastructure for business data lake
Modern infrastructure for business data lakeModern infrastructure for business data lake
Modern infrastructure for business data lake
 
Force Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop ElsewhereForce Cyber Criminals to Shop Elsewhere
Force Cyber Criminals to Shop Elsewhere
 
Pivotal : Moments in Container History
Pivotal : Moments in Container History Pivotal : Moments in Container History
Pivotal : Moments in Container History
 
Data Lake Protection - A Technical Review
Data Lake Protection - A Technical ReviewData Lake Protection - A Technical Review
Data Lake Protection - A Technical Review
 
Mobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or FoeMobile E-commerce: Friend or Foe
Mobile E-commerce: Friend or Foe
 
Virtualization Myths Infographic
Virtualization Myths Infographic Virtualization Myths Infographic
Virtualization Myths Infographic
 
Intelligence-Driven GRC for Security
Intelligence-Driven GRC for SecurityIntelligence-Driven GRC for Security
Intelligence-Driven GRC for Security
 
The Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure AgeThe Trust Paradox: Access Management and Trust in an Insecure Age
The Trust Paradox: Access Management and Trust in an Insecure Age
 
EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015EMC Technology Day - SRM University 2015
EMC Technology Day - SRM University 2015
 
EMC Academic Summit 2015
EMC Academic Summit 2015EMC Academic Summit 2015
EMC Academic Summit 2015
 
Data Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education ServicesData Science and Big Data Analytics Book from EMC Education Services
Data Science and Big Data Analytics Book from EMC Education Services
 
Using EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere EnvironmentsUsing EMC Symmetrix Storage in VMware vSphere Environments
Using EMC Symmetrix Storage in VMware vSphere Environments
 
Using EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBookUsing EMC VNX storage with VMware vSphereTechBook
Using EMC VNX storage with VMware vSphereTechBook
 

Dernier

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Dernier (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

RSA Monthly Online Fraud Report – April 2014

  • 1. page 1R S A M O N T H LY F R A U D R E P O R T F R A U D R E P O R T THE CURRENT STATE OF CYBERCRIME 2014: GLOBAL MALWARE OUTLOOK April 2014 APT ATTACKS REMAIN UNABATED AND POS MALWARE ATTACKS BECOME COMMON Cybercriminals are finding sophisticated new ways to make botnets stealthier and more durable, and to shield the data stolen during attacks. At the same time, they’re also generating significant returns from unsophisticated hit-and-run POS malware attacks. Cyber-espionage attacks continue to occur with tactics that are largely unchanged and new players in the space being identified. Stealthier, more durable botnets Botnets are used by fraudsters, cybercriminals and hacktivists to host their infrastructure and launch attacks such as DDoS to bring down the websites of banks, government agencies and other high-profile organizations. The large number of zombie computers in a typical botnet means an attack will move around, making it difficult to find the source and shut the attack down. Even so, cybercriminals are developing even more robust botnets that can remain active for longer before being discovered. –– Botnets are being created that behave as similarly as possible to legitimate software and take considerable time and effort to detect. This has changed the way defenders focus their efforts, such as detecting when an infected computer communicates with a domain that’s been used for cybercrime in the past. –– Hosting a botnet’s command-and-control center in a Tor-based network (where each node adds a layer of encryption as traffic passes) obfuscates the server’s location and makes it much harder to take it down.
  • 2. page 2R S A M O N T H LY F R A U D R E P O R T –– Cybercriminals are building more resilient peer-to-peer botnets, populated by bots that talk to each other, with no central control point. If one bot (or peer) in a peer-to-peer botnet goes down, another will take over, extending the life of the botnet using business continuity techniques. –– An alternative business continuity–led approach involves controlling a botnet from a mobile device using SMS messages. For example, some have speculated that the cyber attack on South Korean banks in early 2013 may have been a multi-vector attack that involved Android phones located in China, Korea or both1 . With this type of botnet, if the primary command-and-control center gets shut down, the cybercriminal can redirect the botnet to an alternative center via SMS. Attackers shield stolen data The cybercrime world is like an arms race: cybercriminals pursue a course of action until the defenders work out how to combat it, at which point the cybercriminals change tack. An example of this is the use of password-protected zip files by APT attackers to exfiltrate stolen data. The challenge for the defender is to crack the password on the zip file to see what was taken. Because attackers tend to work from a script or within a structured framework, they will often reuse a password, enabling the defender to link attacks and open subsequent zip files with ease. Once the attacker realizes they’ve been rumbled, they’ll change something about their process in order to regain the upper hand — for example, switching from zip files to rar files (which are more difficult to crack), or using asymmetric encryption algorithms that are harder for defenders to reverse engineer. This results in the defender losing the ability to identify the stolen data and establish relationships between attacks, until he or she manages to crack the next one. Cyber espionage attacks Cyber espionage attacks have continued unabated in the last, with attack methodology largely centering around spear phishing attacks, in which specific internal personnel are targeted with documents containing malicious Trojans to allow the attacker to establish a foothold in the network. Also popular last year were “Watering Hole2 ” attacks, or strategic web compromise, in which the attacker compromises a website that is of business interest to a target and uses it as an exploit platform to intrude into the target network. Attacker malware varies in sophistication, but simple methods continue to be successful for the most part. While the frequency of reported incidents appears to have increased, this is likely due to a move towards intelligence-driven detection, rather than an actual increase in attacks. Additionally, new nation-state players such as the “Hangover” campaign3 out of India and the “Snake” campaign4 in Russia have made recent headlines and caused a shift in viewing cyber espionage as a threat originating from specific regions to a more global one. Hit-and-run POS malware attacks Hit-and-run attacks are carried out against retailers using point-of-sale (POS) malware, much of which is based on the free-to-use leaked code for Dexter and Alina malware. ChewBacca, which was uncovered by RSA in January 2014, and BlackPOS are other well-known examples of POS malware. This type of malware infects POS terminals, scraping the terminals’ memory for the payment card and personal data — customers’ names, card numbers, expiration dates and card verification value (CVV) information — that can be used to clone cards. 1 Source: RSA Firstwatch blog “Tales From the Darkside: Mobile Malware Brings Down Korean Banks”, March 2013 (https://community.emc.com/community/connect/rsaxchange/netwitness/ blog/2013/03/21/tales-from-the-darkside-mobile-malware-brings-down-korean-banks) 2 https://blogs.rsa.com/lions-at-the-watering-hole-the-voho-affair/ 3 http://normanshark.com/wp-content/uploads/2013/08/NS-Unveiling-an-Indian-Cyberattack- Infrastructure_FINAL_Web.pdf 4 http://info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf
  • 3. page 3R S A M O N T H LY F R A U D R E P O R T POS malware does this by searching for simple regular expressions for card magnetic stripe data. When a card number is found, it is extracted and logged. Even when a retailer is compliant with PCI DSS, unless data is encrypted or tokenized at the moment of capture at the POS terminal, there’s a short window of opportunity during which it can be stolen in readable form. This type of POS malware was used during the very high-profile attack against several large retailers late last year that affected tens of millions of card holders. The cost to financial institutions has so far been estimated at over $200m, and that only takes into consideration expenses for actions such as notification and card reissuance. That still does not account for fraudulent purchases making it a figure that is likely to increase in the long term. These attacks have mainly been confined to countries such as the U.S., where EMV technology is not yet in widespread use. Referral abuse malware Some common breeds of malware were on the rise for inciting referral abuse in 2013. The malware is custom-designed to target corporations that pay cash to affiliate referrers for each installation of the target’s software. This type of customized malware is written specifically to install software on a victim PC under a referrer’s identity, make the infected machine click on ads that pay pennies per click, and direct it to purchase “likes” on social media. In August 2013, RSA Research discovered a variant of the Zbot Trojan being used in referral abuse5 . The typical charter of Zbot has been to attempt to swipe passwords, but this variant was also programmed to check for availability of Instagram usernames – likely in an effort to create an army of fake Instagram users that can be sold as followers to help individual users or businesses create an image of popularity. The same Zbot variant was also capable of SEO poisoning to help boost keyword rankings, likely in an effort to push its own content to the top of search engine results. These rank-abuse promoted pages often contain malicious content to spread additional malware. t2014 OUTLOOK: Malware Continues to Spawn New Waves of Attacks From POS malware to referral abuse, cybercriminals are continually in search of new approaches to monetize their bots. At the same time they seek to spawn new attacks, they are also creating more bulletproof infrastructure on the backend. They are moving their infrastructure to P2P and Tor-based networks to evade detection. They are changing the methods they use to mask stolen data, making it more difficult for researchers to reverse engineer and understand the methods being used behind prominent cyber attacks. Advancements in cybercrime technology and infrastructure will only continue. For example, given the computing power contained in a smartphone and criminals’ willingness to adopt new technology, it is likely we will witness more mobile-phone-based botnets and command-and-control centers over the coming year. Also, with the scale of several high-profile data breaches, we are likely to see a shift in the U.S. market towards adoption of EMV payment cards. It will be slow, but 2014 will be a pivotal year in making the move. Regulations such as PCI-DSS will be re-evaluated and lead to stricter guidance for retailers to implement encryption or tokenization at the point of sale. Until there is a major industry change, there is little reason to expect criminals to stop using POS malware–based attacks against retailers, given the enormous returns that are possible from this relatively unsophisticated, easy-to-obtain malware. 5 https://blogs.rsa.com/new-zbot-variant-builds-instagram-army/
  • 4. page 4R S A M O N T H LY F R A U D R E P O R T Phishing Attacks per Month RSA identified 42,537 phishing attacks in March, marking a 15% increase from February’s attack numbers. This also represents a 75% increase from the number of attacks a year ago. US Bank Types Attacked Nationwide banks continued to be the most targeted by phishing with 61% of total volume in March, while regional banks saw a sharp spike in attacks – jumping from 5% to 30% compared to February. Top Countries by Attack Volume The U.S. remained the most targeted country in March with an overwhelming 67% of global phishing volume, followed by the UK, the Netherlands, and India. 42,537 Attacks Credit Unions Regional National 67% 10% 6% 3% Netherlands India UK U.S. APRIL 2014 Source: RSA Anti-Fraud Command Center
  • 5. www.emc.com/rsa CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa Top Countries by Attacked Brands Over 50% of phishing attacks in March were targeted at brands in the U.S., UK, India, Australia and Canada. Top Hosting Countries The U.S. hosted 34% of global phishing attacks in March, followed by Germany, the Netherlands, Italy and Turkey. ©2014 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. APR RPT 0314 9% U.S. UK 28% 5% 5%7% 34% GLOBAL PHISHING LOSSES MARCH 2014