Rock Phish Gang Adds Crimeware Trojan to Arsenal
The Russian group, which is responsible for about half of all phishing attacks, is now doing browser-based drive-by attacks to load a variant of Zeus, a Trojan toolkit that sells online for $700.
"This is more than double the trouble," says RSA Security senior researcher Uriel Maimon.
Details of the latest Rock Phish twist:
"The victim is duped into visiting a phishing site. However, whether or not the victim surrenders his/her credentials into the site is irrelevant (many people click on phishing links but do not fill in meaningful information): with this new attack-twist, the victim will still be infected with a Trojan horse.
This is done via a technique called "drive-by infection," wherein a vulnerability in the victim's operating system, browser, or software is exploited in order to infect the victim without his/her knowledge (and much less his/her consent, or with the victim having to proactively download software). The vulnerabilities that are exploited in these situations are often unknown to the software vendors and therefore often not addressed, leaving the victims defenseless (just like your humble servant finds himself when in the company of a beautiful woman).
This particular case of drive-by infection was masked particularly well. The code that attempted to infect the machine was hosted on a domain named in such a way that it blatantly infringed on Google's trademark, but with the end-result that it made advanced users or heuristic security software more likely to allow content from the domain. The URL itself was also dynamically generated so blacklisting it or adding it to a trivial pattern match would fail.
* Photo credit: ToastyKen (Creative Commons 2.0)