fraud report: rsa monthly online - april 2013
DESCRIPTION
The RSA Monthly Online Fraud Report examines the latest phishing global phishing and cybercrime trends.TRANSCRIPT
F R A U D R E P O R T
PHISHING IN SEASON – TAX TIME MALWARE, PHISHING AND FRAUD
April 2013
As cybercriminals will have it, phishing attacks are quite the seasonal trend. It seems that
every April, after showing a slight decline in phishing in the first quarter of the year, they
wake up and get back to work on vast spam campaigns that take advantage of tax-filing
season.
This time of year brings a few flavors of spam into the mailboxes of online users,
including malware attachments that appear as communications such as tax statements or
unclaimed refunds. In this special highlight, we will cover the main types of online threats
we often see during the tax filing season, most of which are already rampant in the wild.
Tax Authority Phishing Themes
Although phishing is most often a direct attack, targeting account holders by presenting
them with messages from their online banking provider, indirect phishing can be just as
efficient, if not more.
In these scams, phishers will create an email appearing to come from the local tax
authority, encouraging taxpayers to browse to a (phishing) page where they will be
tricked into believing they are opening an online account, updating their personal
information, contesting a fraudulent statement or receiving a refund.
Phishers use the taxation entity’s credibility and authority in order to ask victims to part
with their personal information, address and phone details as well as account
information, access to online and phone banking, as well as complete credit card details.
Those attacks can be very elaborate and eventually allow criminals to devise a wider
array of identity theft scenarios, including loan and credit card application, fraudulent
ecommerce purchases, fraudulent tax filing, and bank account takeover.
page 2
Malware Hidden In Tax-Themed Emails
Another very popular threat during tax season is malware-laden email, purporting to
come from a tax authority, usually with a threatening message urging the user to
download and open an attachment. The file is actually a Trojan executable, which can
sometimes be revealed by simply looking at the file extension, like in the image below.
Note that the file extension is .pdf followed by .exe – a Trojan executable file.
One of the malware campaigns currently active in the wild is spreading the Brazilian
Banker Trojan (“Bancos”) under the guise of a message from the fiscal authority in Brazil.
Tax-Themed Malware Spam
Email purporting to come from tax authorities, urging users to download and open an attachment.
Tax-Themed Phishing
Elaborate phishing page designed to steal access credentials and personal financial information
page 3
Here too, it is easy to see that the fake file extension is not really a Microsoft Word
document (.docx), but rather an .exe hiding the Trojan’s executable.
Online Tax-Filing Scams
Since tax authorities have been allowing taxpayers to file their annual declarations with
online service providers, criminals have been increasingly interested in phishing for
access credentials to victims’ user accounts in hopes of rerouting the refund payments
that may be due.
In many cases, fraudsters check if the potential victim has already filed the return, and if not,
they will proceed to filing a false declaration in the victim’s name, using numbers that will
result in a refund, and then attempt to have the expected payment sent to a prepaid card or
an account they control. The U.S. Internal Revenue Service reported it saw an 80% increase in
tax-return fraud between 2011 and 2012 – a number that is likely to continue growing.
One of the present campaigns running in the wild falsely alerts taxpayers that their return was
rejected, all while delivering a Trojan attachment (.exe) in the guise of an archived file (.zip).
Taxpayer User Account Takeover Attempts
In this last example of tax-themed online threats, some riminals, usually operating locally
and versed with the regional processes, will attempt to phish a taxpayer for his access
credentials to the tax authority’s web services.
Tax-Themed Malware Spam
Email purporting to come from Brazilian tax authorities, urging users to download and open the concealed Bancos Trojan
Online Filing Scams
Email to tax filers that a refund has been rejected and lures them to download a file with hidden malware.
page 4
From there, the criminals will attempt to gain insight into amounts possibly due to the
victim, find out if they already filed a tax return, attempt to modify the account refund(s)
should be sent to, or in other cases, create a fake account with an online tax filing service
to submit a bogus return in order to yield a refund.
The actual phishing can be carried out online, by directing taxpayers to click and browse
to a hyperlink inside an email, or by opening the attack locally – a local HTML phishing
scam that will appear on the victim’s PC.
In the following image, the taxpayer received an HMTL file inside the email – containing
the phishing page. The URL that will appear when opening that file, will show a local path
on the user’s PC. Once harvested, data from such “standalone” attacks will end up being
sent to the phisher thereafter.
CONCLUSION
Although phishing attack numbers can fluctuate monthly and depend on factors that are
harder to predict, trends such as annual tax filing season remain rather consistent.
Tax-filing season is probably one of the most popular times of the year for phishers to hit
taxpayers with spam and malware infections since tax authorities can be a driver that
would make people react quickly to emotional triggers such as:
– Entitlement – expecting a tax refund and wishing to receive it ASAP
– Anxiety – being faced with the (false) accusation of a rejected/fraudulent statement
and wanting to rectify the issue
– Sense of obligation – having to comply with the civil obligation to report to the
taxation authorities
In terms of the time-span for this seasonal trend, tax deadlines typically fall on April 15,
but fraudsters are known to begin sending this type of spam in February and continue
spreading the campaigns well into May and June, in the shape of fake returns and bogus
rejected/fraudulent statements. This phenomenon is often reflected in phishing attack
spikes recorded annually through Q2. Just as financial institutions have been active in
educating online users, tax agencies have also started similar campaigns to warn
consumers to be alert during tax season.
Tax Authority Online Service Takeover Attempt
Email purporting to come from a tax authority, hosting a standalone phishing attack to harvest taxpayer information.
page 5
Phishing Attacks per Month
RSA identified 24,347 phishing attacks
launched worldwide in March, marking an
11% decrease in attack volume from the
previous month, yet a 27% increase year-
over-year in comparison to March 2012.
Number of Brands Attacked
In March, 260 brands were targeted in
phishing attacks, marking a 1% increase
from February. Of the 260 targeted brands,
46% suffered five attacks or less.
0
10000
20000
30000
40000
50000
60000
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
19141
3555837878
51906
59406
49488
3544033768
41834
29581 3015127463
24347
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
0
50
100
150
200
250
300
350
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
303288 298
259242
290
314
269284
257
291
257 260
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
page 6
Top Countries by Attack Volume
The U.S. was targeted by about half of all
phishing volume in March. The UK
accounted for 13% of attack volume while
South Africa experienced an increase with
9% of attack volume. After the UK, the
Netherlands was the country in Europe
that endured the second highest attack
volume in March at 5%.
UKGermanyChinaCanadaSouth KoreaAustraliaa
United Kingdom 13%
U.S. 49%
South Africa 9t%
Canada 4%
Netherlands 5%
India 4%
38 Other Countries 16%
US Bank Types Attacked
U.S. nationwide banks saw a slight decline
in attack volume in March – decreasing 6%.
However, credit unions saw a relatively
sharp increase, more than doubling from
8% to 17%. On occasion, phishers like to
change up their attack methods and go
after less targeted financial institutions,
attempting to see if online/phone banking
security measures with these banks could
be more easily exploited.0
20
40
60
80
100
Sou
rce:
RSA
Ant
i-Fra
ud C
omm
and
Cent
er
12% 7% 20% 10% 11% 11% 9% 9% 12% 6% 15% 8% 17%
30%
11%
18%
12%
15% 15% 14% 14%
9% 15%
15% 23% 23%
58% 82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60%
Mar 12
Apr 12
May 12
Jun 12
Jul 12
Aug 12
Sep 12
Oct 12
Nov 12
Dec 12
Jan 13
Feb 13
Mar 13
page 7
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
Top Countries by Attacked Brands
U.S. brands were once again most targeted
by phishing in March, experiencing 27% of
attack volume. Together, brands in the UK,
Australia, India and Brazil accounted for
25% of attack volume.
Top Hosting Countries
In March, the U.S. hosted just over half of
all global phishing attacks, followed by
Germany, Canada and the UK. Colombia
hosted 3% of phishing attacks during the
month. U.S. 51%
57 Other Countries 28%
Germany 6%
Canada 5%
Colombia 3%
Netherlands 3%
United Kingdom 4%
MalaysiaBrasilIndiaNetherlandsCanadaItalyChinaS AfricaUSa
United Kingdom 12%
39 Other Countries 48%
U.S. 27%
Brazil 4%
India 3%
Australia 5%
www.emc.com/rsa
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa
©2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC
Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective
holders. APR RPT 0413