RSA, The Security Division of EMC (NYSE: EMC), has uncovered a new technique that combines phishing and Zeus Trojan attacks to steal personal information and spread financial crimeware.
- The RSA(SM) Anti-Fraud Command Center (AFCC) recently uncovered a new series of attacks from the Rock Phish group, launched in order to infect unsuspecting users with financial crimeware.
- The Rock Phish group is a set of criminals believed to be based in Europe who have been targeting financial institutions worldwide since 2004.
- Rock Phish attacks are estimated to account for more than 50% of phishing attacks world-wide and to be responsible for the theft of tens of millions of dollars from users' bank accounts. However, until now, the group has not deployed financial crimeware as part of its attack methodology.
- The new Rock Phish attacks combine both phishing techniques and crimeware. Victims of these phishing attacks not only have their personal data stolen -- but they are then also infected with the Zeus Trojan. Once infected, the Trojan is capable of stealing additional information, such as personal data transmitted while interacting with other websites.
- The attacks were detected by the RSA 24x7 Anti-Fraud Command Center with support from security analysts that work on RSA's FraudAction Anti-Trojan Service team. This experienced team of fraud analysts works to detect and qualify phishing sites, shut them down, deploy countermeasures, and conduct extensive forensic work to catch fraudsters and prevent future attacks.
- The team's phishing forensics expertise enabled the AFCC to trace the malware infection resources within these attacks. RSA's FraudAction Anti-Trojan Service analysts are very familiar with the Zeus Trojan: they closely track the distribution of this Trojan, and are often able to identify the propagation of Zeus variants before they are detected by most anti-virus software tools.
- The RSA Anti-Trojan Service mitigates Trojan threats by tackling the Trojan's communication channels -- including its infection, drop and 'command & control' points -- and the AFCC works to block the drop- zones. In this way, even if a user has already been infected with the Zeus Trojan, the Trojan will be unable to communicate with its drop- zone, rendering the attack much less effective.
- In addition, the source of the Zeus infection will be traced and shut down by the AFCC, and will not be usable in future phishing attacks.
- So far, RSA's FraudAction Anti-Trojan Service has detected more than 150 variants of the Zeus Trojan targeting customers of financial institutions and other organizations worldwide.