Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
RSA Monthly Online Fraud Report – May 2014
1. page 1R S A M O N T H LY F R A U D R E P O R T
F R A U D R E P O R T
MALWARE TOOLS FOR SALE ON THE OPEN WEB
May 2014
RSA Research, while investigating a Zeus Trojan sample, discovered an additional drop
server used by a fraudster who is offering a set of spyware tools for sale under the vendor
names TampStore and Crown Softwares.
The online store offers a number of software packages made up of sets of tools presented
openly as legitimate “spyware”, with individual package icons in different colors for each
of the products. These tools offer a number of features that may be illegal in many
regions, and are commonly used by malware developers to steal data from infected PCs.
The online store offers the following ‘products’:
–– TampZusa – stealer application for stealing information and images from browsers,
email clients, keylogging, screen captures, webcam, and messenger clients
–– TampStealer – same as TampZusa, with a few extra bonuses added to the package
(see feature list below)
–– TampKelogger Classic – a basic case-sensitive keylogger that can also record window
titles
–– TampKeylogger Premium – a full featured keylogger that also includes all the features
of the TampStealer
–– TampSpammer – a basic mass-mailer spamming application
Of all the listed products, the TampStealer appears to be the most complete package of
spyware tools. The following is a list of the features advertised in the online store.
2. page 2R S A M O N T H LY F R A U D R E P O R T
TampStealer feature list:
–– Case sensitive keylogger
–– Print screen stealer (screen capture)
–– Webcam stealer
–– Browser password stealer – Opera, Chrome, Firefox, Safari, Internet Explorer, Netscape
–– Avira firewall bypass
–– Mass email dispatcher
–– Silent file downloaders
–– Multi-client remote administration
–– Send logs to FTP or PHP (PHP logger included in package)
–– FileZilla stealer
–– Stealer for the following email clients– Outlook, Windows Mail, Eudora, IncrediMail,
Netscape
–– PidGin stealer (messenger client)
–– Icon changer application, including an icon package
The fraudster does not seem to be shy about advertising his wares on Facebook or
exposing numerous email addresses for himself in various forums and public social
networking sites. RSA has traced a number of entries posted by him in a Romanian
computer hacker forum as well as advertising his availability for hire in a web
programming forum.
Upon further investigation of the administration panel and log files of the
TampStealer application, RSA uncovered records of stolen login credentials. One
log file from the TampStealer application, contained as many as 8,145 stolen login
records (see Figure 1 below).
3. page 3R S A M O N T H LY F R A U D R E P O R T
CONCLUSION
Offering cybercrime software tools for sale is not new. However, advertising them out
on the open web and social networking sites like Facebook is quite unusual. This
particular software tool author does not seem to be afraid or concerned about
exposing his software or his email addresses to the general public. Such behavior
goes against the trend of pushing cybercriminal activity further underground as has
been witnessed by RSA over the last two years.
4. page 4R S A M O N T H LY F R A U D R E P O R T
Phishing Attacks per Month
RSA identified 52,554 phishing attacks
in April, marking a 24% increase from
March’s attack numbers. Based on this
figure, RSA estimates phishing cost global
organizations $448 million in losses
in April.
US Bank Types Attacked
While nationwide banks continue to be
the most targeted by phishing with 58%
of total volume in April, regional banks have
continued to see an increase in volume
as well.
Top Countries by Attack Volume
The U.S. remained the most targeted
country in April with an overwhelming 76%
of global phishing volume, followed by the
UK, the Netherlands, and South Africa.
52,554
Attacks
Credit Unions
Regional
National
76%
4%
3%
3%
Netherlands
South Africa
UK
U.S.
MAY 2014
Source: RSA Anti-Fraud Command Center
5. page 5R S A M O N T H LY F R A U D R E P O R T
Top Countries by Attacked Brands
Over 50% of phishing attacks in March
were targeted at brands in the U.S., UK,
India, Italy and Canada.
Top Hosting Countries
The U.S. hosted 34% of global phishing
attacks in April, followed by Germany, the
Netherlands, and Italy.
Mobile Transactions and Fraud (Q1 ’14)
In Q1, 33% of banking transactions
originated in the mobile channel. Among
total transactions, 2% of all identified
fraud was from a mobile device.
9%
U.S.
UK
27%
5% 5%7%
34%
GLOBAL PHISHING LOSSES
APRIL 2014
2%
33%
2%
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $ $ $
$ $ $
33%