Phishers Use Bouncer List to Fix Scope on Targets

Researchers at RSA say phishers are using a new tactic to make sure only their targets are getting served with attack pages.

In the world of cyber-crime, even the list of people who made their way into an attacker's club of victims is getting exclusive.

Researchers at EMC's RSA security arm now say that phishers are adopting a new tactic to ensure that only certain targets are being hit. The technique is called "bouncer list phishing," and just like a VIP section at a nightclub, the goal is to keep out anyone who isn't invited.

It all starts, RSA explains, with an email list for each campaign.

"A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack," RSA's FraudAction Research Labs described in a blog post. "Here's the interesting part—much like a night club's bouncer list—any outsider attempting to access the phishing page is redirected to a '404 page not found' error message. Unlike the usual IP-restricted entry that many older kits used, this is a true—depending on how you look at it—black hat whitelist."

Once victims access the phishing links, their names and ID values are verified on the fly. After a scan of the "bouncer list," any unwanted visitors are turned away from the phishing page, while validated users will see an attack page generated by the phishing kit. The kit's code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials, RSA noted.

"After the kit collects victim credentials, it sends them to yet another hijacked Website (taken over using the exact same method of vulnerability exploit and Web-shell), where the password-protected attack page lies in wait to steal user credentials," the FraudAction team blogged.

The change in tactics poses a challenge to researchers, Daniel Cohen, head of business development for Online Threats Managed Services at RSA, told eWEEK.

"Receiving the full URL—that includes the victim's personal invite ID, or the generated URL of the phishing page—is now a big factor," he said. "If vendors only receive the partial URL, loading a '404-page not found,' the attack will get lost in the vast amounts of URLs the industry is already qualifying on a daily basis. It becomes an invisible needle in a haystack."

So far, the technique has been spotted being used in phishing attacks against South African financial institutions, Cohen said.

"The attacker was only interested in SA [South African] victims and, therefore, only included [] on the list," he said. "We also saw this used against FIs [financial institutions] in Australia and Malaysia, too. As for APTs [advanced persistent threats], this could potentially be used in that scenario, but we have not yet detected such an attack."

According to RSA, each campaign targeted an average of 3,000 recipients with lists composed in alphabetical order. The recipients were a mixed bag of webmail users, corporate addresses and bank employees—indicating there was likely an aggregation of a few spam lists or data breach collections. The campaigns also took advantage of WordPress plug-in zero-day vulnerabilities to compromise and hijack Websites.

"Needless to say, these kits, used to target corporate email recipients, can easily be used as part of spear-phishing campaigns to gain a foothold for a looming APT-style attack," according to FraudAction Labs.

"Like the very large majority of phishing kits today, the Websites are being hijacked because of vulnerable plug-ins used in many Opensource CMS-based sites and blog-type pages," the FraudAction team added. "Unfortunately, it is entirely up to the webmasters to become more aware of security and ensure that their Websites don't get exploited, thereby becoming part of this detrimental phenomenon."