Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Phishers Use Bouncer List to Fix Scope on Targets

    By
    Brian Prince
    -
    January 17, 2013
    Share
    Facebook
    Twitter
    Linkedin

      In the world of cyber-crime, even the list of people who made their way into an attacker’s club of victims is getting exclusive.

      Researchers at EMC’s RSA security arm now say that phishers are adopting a new tactic to ensure that only certain targets are being hit. The technique is called “bouncer list phishing,” and just like a VIP section at a nightclub, the goal is to keep out anyone who isn’t invited.

      It all starts, RSA explains, with an email list for each campaign.

      “A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack,” RSA’s FraudAction Research Labs described in a blog post. “Here’s the interesting part—much like a night club’s bouncer list—any outsider attempting to access the phishing page is redirected to a ‘404 page not found’ error message. Unlike the usual IP-restricted entry that many older kits used, this is a true—depending on how you look at it—black hat whitelist.”

      Once victims access the phishing links, their names and ID values are verified on the fly. After a scan of the “bouncer list,” any unwanted visitors are turned away from the phishing page, while validated users will see an attack page generated by the phishing kit. The kit’s code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials, RSA noted.

      “After the kit collects victim credentials, it sends them to yet another hijacked Website (taken over using the exact same method of vulnerability exploit and Web-shell), where the password-protected attack page lies in wait to steal user credentials,” the FraudAction team blogged.

      The change in tactics poses a challenge to researchers, Daniel Cohen, head of business development for Online Threats Managed Services at RSA, told eWEEK.

      “Receiving the full URL—that includes the victim’s personal invite ID, or the generated URL of the phishing page—is now a big factor,” he said. “If vendors only receive the partial URL, loading a ‘404-page not found,’ the attack will get lost in the vast amounts of URLs the industry is already qualifying on a daily basis. It becomes an invisible needle in a haystack.”

      So far, the technique has been spotted being used in phishing attacks against South African financial institutions, Cohen said.

      “The attacker was only interested in SA [South African] victims and, therefore, only included [.co.za] on the list,” he said. “We also saw this used against FIs [financial institutions] in Australia and Malaysia, too. As for APTs [advanced persistent threats], this could potentially be used in that scenario, but we have not yet detected such an attack.”

      According to RSA, each campaign targeted an average of 3,000 recipients with lists composed in alphabetical order. The recipients were a mixed bag of webmail users, corporate addresses and bank employees—indicating there was likely an aggregation of a few spam lists or data breach collections. The campaigns also took advantage of WordPress plug-in zero-day vulnerabilities to compromise and hijack Websites.

      “Needless to say, these kits, used to target corporate email recipients, can easily be used as part of spear-phishing campaigns to gain a foothold for a looming APT-style attack,” according to FraudAction Labs.

      “Like the very large majority of phishing kits today, the Websites are being hijacked because of vulnerable plug-ins used in many Opensource CMS-based sites and blog-type pages,” the FraudAction team added. “Unfortunately, it is entirely up to the webmasters to become more aware of security and ensure that their Websites don’t get exploited, thereby becoming part of this detrimental phenomenon.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×