IAC 2024 - IA Fast Track to Search Focused AI Solutions
Fraud Report: RSA Monthly Online Fraud Report - March 2013
1. EMAIL ACCOUNT TAKEOVER
TO IDENTITY TAKEOVER
March 2013
Phishing attacks are notorious for their potential harm to online banking and credit card
users who may fall prey to phishers looking to steal information from them. Compromised
credentials are then typically sold in the underground or used for actual fraud attempts
on that user’s bank/card account. Financial institutions have all too often been the most
targeted vertical with phishers setting their sights on monetary gain, followed by online
retailers and social networks.
Most understand the purpose of targeting financial institutions, but online retailers and
social networking sites? Why would a fraudster target them? In most cases, they use an
email address to authenticate their users’ identities, and they are not the only ones. Of
course the user is made to choose a password when opening any new online account,
but as research reveals, password reuse across multiple sites is a huge issue. A typical
user reuses the same password an average of six times, or the same password to access
six different accounts.
Phishing, Trojans And Email Access
Phishing campaigns have already been targeting webmail users for years now with
campaigns purporting to be Hotmail, Yahoo!, Gmail, and the spear-phishing flavor in the
shape of OWA (Outlook Web Access) for business users.
Trojan operators followed suit and have not remained oblivious to the potential that lies
in gaining control over victim identities through their email accounts. In fact, almost all
Trojan configuration files contain triggers to webmail providers as well as to social
networking sites. This is designed with the purpose of getting access in order to gain
more information about potential victims in order to take over their online identities.
FRAUD REPORT
2. Spear Phishing
OWA phishing page designed to steal
access credentials from business
email users
Since email accounts are an integral part of user identities online, they have also become
the pivotal access point for many types of accounts. When it comes to online retailers and
merchants, the email address is most often the username in the provider’s systems or
databases. When it comes to bank accounts, the customer’s email is where communications
and alerts are sent, and sometimes even serve as part of transaction verification.
Beyond the fact that email is part of customer identification and point of communication,
the compromise of that account by a cybercriminal can have more detrimental effects.
Email takeover may mean that a hostile third party will attempt, and sometimes succeed,
to reset the user’s account information and password for more than one web resource,
eventually gaining access to enough personal information to enable complete
impersonation of the victim.
Although some webmail providers use two-factor authentication for account password
resets (such as Gmail’s Authenticator), most don’t, thereby inadvertently making it
simpler for criminals to access and sometimes attempt to reset access to accounts.
Fraudsters will typically probe the account for more information and sometimes lock it
(by changing the password) in order to prevent the genuine user from reading alerts
after a fraudulent transaction was processed on one of their accounts.
Email Access = Money?
Since email is a convenient way for service providers to communicate with untold
numbers of customers, online merchants will, in the name of ease of use, reset account
credentials via email. Hence, if a cybercriminal is in control of the email account, they will
also gain control over the user’s account with that merchant.
page 2
3. From there, the road to e-commerce fraud shortens considerably, either using that
person’s financial information, or attaching a compromised credit card to that account
without ever having to log into their bank account in order to access their money, and in
that sense, email access equals money.
Another example is transportation companies, which are part of any online purchase and
those who provide shipping service to companies as well as governmental offices. They also
use email addresses as their users’ login identifiers and will reset the account via email.
A takeover of a user’s email account in this scenario will also mean takeover of that
person’s/business’ service account with the transport provider. For fraudsters, this type
of access translates into purchasing labels for their reshipping mules, charging
shipments to accounts that don’t belong to them, and providing an easier route to
reship stolen goods and even reroute existing orders.
Email Account Takeover And Online Banking
Email account takeover may appear benign at first sight, but in fact it is an insidious
threat to online banking users. The first issue with email account takeover (due to
credentials theft or a password reset), is that users re-use passwords. When fraudsters
steal a set of credentials, they will likely be able to use it to access additional accounts,
sometimes even an online banking account.
The second issue is that fraudsters will use victim email access for reconnaissance with
that person’s choice of financial services providers, bank account types, card statements
(paperless reports delivered via email), recent online purchases, alert types received from
the bank, contact lists (often including work-related addresses), social networking profile
and more.
How Risky Is Email Account Takeover?
Email account takeover can be a route to identity theft that only requires access to
perhaps the least secure part of the online identity used by financial and other
organizations and is perhaps one of the least evident elements that can become a
potential facilitator of online fraud scenarios.
Email addresses can serve as a “glue” that binds many parts of a person’s online identity,
connecting a number of different accounts that interlink. A typical online banking
customer may use a Gmail address with their bank account, use that same address for a
PayPal account, shop on eBay using that address, and receive their card statements at
that address from their card issuer. All too often, that address is also their Facebook
access email, where they have saved their phone number, stated where they work and
for how long, and mentioned a few hobbies.
CONCLUSION
Account hacks of this type happen all the time, and often make the headlines in the
media. In some cases, there are a few hundred potential victims while in others, there are
millions. The value of an email address to a cybercriminal should not be underestimated.
This element of an online identity must be treated with added caution by all service
providers that cater to consumers.
The line that crosses between ease of access and user experience always passes very
close to security redlines, but sometimes very slight modifications in the weight customer
email accounts can have on overall account access can turn a fraud attempt into a failed
fraud attempt.
page 3
4. 59406
60000
Phishing Attacks per Month
51906
49488
In February, RSA identified 27,463 50000
phishing attacks launched worldwide, 41834
Source: RSA Anti-Fraud Command Center
marking a 9% decrease from January. 40000 37878
35558 35440
The overall trend in attack numbers when 33768
29581 30151
looking at it from an annual view shows 30000 27463
slightly lower attack volumes through the
21030
first quarter of the year. 19141
20000
10000
0
Jan 13
Feb 13
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
350
314
303 298
288 290 291
300 281 284
269
259 257 257
Source: RSA Anti-Fraud Command Center
Number of Brands Attacked 250 242
In February, 257 brands were targeted in 200
phishing attacks, marking a 12% decrease
from January. Of the 257 targeted brands, 150
48% endured five attacks or less.
100
50
0
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
page 4
5. 100
3% 12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8%
US Bank Types Attacked
11% 12% 9% 15%
U.S. nationwide bank brands were the prime 80
21% 30% 18% 15% 15% 14% 14% 15% 23%
target for phishing campaigns – with 69% of
Source: RSA Anti-Fraud Command Center
total phishing attacks – while regional banks
60
saw an 8% increase in phishing attacks in
February.
40
20
76% 58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69%
0
Feb 12
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
a Australia South Korea Canada China Germany UK
South Africa 3%
India 4%
Canada 5%
Top Countries by Attack Volume
The U.S. remained the country that
suffered a majority of attack volume in United Kingdom 14%
February, absorbing 54% of the total
phishing volume. The UK, Canada, India,
and South Africa collectively absorbed U.S. 54%
about one-quarter of total phishing
volume in February.
41 Other Countries 20%
page 5
6. Italy 3%
a US S Africa China Italy Canada Netherlands India Bra
India 3%
China 4%
Canada 4% 38 Other Countries 37%
Top Countries by Attacked Brands
Brazil 4%
In February, U.S brands were targeted by
30% of phishing volume – continuing to
Australia 4%
remain the top country by attacked brands.
Brands in Brazil, Italy, India, Australia,
China and Canada were each respectively
targeted by 4% of phishing volume. United Kingdom 10%
U.S. 30%
a US S Africa China
Brazil 3%
Italy Chile 3% Canada Netherlands India B
Russia 3%
Top Hosting Countries Canada 4%
In February, the U.S. hosted 44% of global
Germany 5%
phishing attacks (down 8%), while the UK
and Germany each hosted 5% of attacks. United Kingdom 5%
Other top hosting countries in February
included Canada, Russia, Brazil and Chile. U.S. 44%
54 Other Countries 33%
page 6