RSA® Monthly Online Fraud Report: Aril 2007
Online fraud is evolving. Phishing and pharming represent one of the most sophisticated, organized and innovative technological crime waves faced by online businesses. Fraudsters have new tools at their disposal; and are able to adapt more rapidly than ever. The RSA Anti-Fraud Command Center (AFCC) is a 24x7 war-room that detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks against close to 200 institutions worldwide. The AFCC has shut down over 32,000 phishing attacks and is a key industry source for information on phishing and emerging online threats. The following statistics have been gathered from the AFCC’s phishing repository. Each statistic includes a short analysis of the trends shown in the graphs based on the expertise of the fraud analysts in the command center. Since the beginning of 2006, phishing has remained the most wide-spread online fraud technique; however the AFCC has detected several cases of additional attacks such as Trojans. The RSA Security fraud experts predict that the usage of more sophisticated fraud techniques will rise as financial institutions deploy anti-fraud and strong authentication measures, thus making phishing less effective.
Fraudsters’ migration to WebMoney – a Possibility While monitoring the fraudsters’ communication channels, RSA has learned that most fraudsters prefer to pay and get paid using an e-currency called e-gold (www.e-gold.com). A phrase such as “I accept e-gold” is very common in fraudster negotiations and in posts in their web forums. We estimate that a significant portion of e-currency business transactions between fraudsters are e-gold transactions. U.S. Law Enforcement agencies have been long accusing e-gold of involvement in financing of illegal activity such as fraud and child pornography, laundering money and operating an illegal money transmission system. Recently, e-gold’s founder Douglas Jackson and two of his colleagues were indicted with such allegations. E-gold’s founders claim that they are not involved in any of those alleged activities, and that they have been trying to fight any fraudulent or criminal use of their platform. And indeed, in the beginning of November 2006 e-gold started a mass blocking of dozens of accounts related to fraudsters and fraudulent activities. Later on, there were several more reported "waves" of e-gold accounts blocking. While these blocks have been a blow to the fraudsters' operations, it did not seem to have a long term effect on the volume of fraud and on the fraudster’s activities. However, fraudsters realized that e-gold is no longer a reliable business platform, and were considering alternative payment methods to maintain their business. Some fraudsters still rely on e-gold as a payment method, but recently there seems to be a development in this area.
After the e-gold account blocking affair in November, the most prominent discussion among fraudsters revolved around the use of other e-currencies that would replace e-gold. A widely discussed e-currency service is called WebMoney, or “WMZ” (www.wmtransfer.com). Several fraudsters recommended using WebMoney instead of e-gold, to avoid account blocking and surveillance. However, other fraudsters claimed that WebMoney employs similar security measures to e-gold, and that they also block fraudulent accounts. Recently, we noticed that the amount of discussions regarding the use of WebMoney is on the rise. Issues such as registering accounts, funding and cashing out WebMoney accounts are discussed much more than before. More fraudsters are starting to accept WebMoney as well as E-gold, and some of them have even switched to WebMoney completely, and do not accept e-gold payments anymore. About WebMoney WebMoney is a Russia based e-currency service. With similarity to e-gold and other e-currency services, it provides a fast and anonymous payment system which fits the need of the fraudster underground. A Webmoney account can be funded in several ways, including a wire transfer, using prepaid cards, and postal money orders. Unlike e-gold, WebMoney are not entirely website-based. Using WebMoney requires an application to be installed on one's computer. However, several videos we found in the fraudster underground show how to use this application while still remaining anonymous.
Breakdown of Global Banking 1. Breakdown of Global Banking Brands Attacked by Phishing Brands Attacked by Phishing
I I I I I I I I I I
Trend Analysis The share of U.S. brands is still dominant, making up 73% of all entities being phished. As in February and March, UK institutions remained in the #2 spot, with 10% of the phished entities. Spain and Canada continue to occupy #3 and #4. Italy, Argentina and the Dominican Republic joined the bottom part of the list in March.
United States 73% UK 10% Spain 4% Canada 3% Italy 3% Mexico 2% Australia 2% France 1% Argentina 1% Dominican Republic 1%
Monthly Online Fraud Report
2. Number of Brands Attacked Per Month
Number of Brands Attacked Per Month
260 240 220 200 180 160 140 120 100 80 60 40 20 0
Apr 06 May June Aug Sep Oct Nov Dec Jan 07 Feb Mar Apr
195 171 157 162 165 149
Trend Analysis The number of institutions coming under attack decreased this month, as opposed to an increase in March. Note that the number of brands attacked during April is still the 4th higher over the last 12 months. There seems to be some instability in the number of brands attacked over the past few months, as the trend tends to change from month to month. Considering the overall increase in attacks, on average there were more attacks against each institution in April.
3. Segmentation of US Banking Brands Attacked by Phishing
I Regional US Banks I Nationwide US Banks I US Credit Unions
55% 17% 28%
Trend Analysis No major changes in April. U.S. nationwide banks continue, as in March, to form around 15% of financial institutions targeted. The FCU and regional banks segments remained relatively stable on a percentage basis.
Monthly Online Fraud Report
4. Top Hosting Countries
Top Hosting Countries
I I I I I I I I I I United States Hong Kong South Korea Germany China UK France Netherlands Tokelau Austria 46% 15% 8% 8% 6% 4% 4% 4% 3% 2%
Trend Analysis The decrease in attacks hosted in the U.S. continued during April. This trend started in March, when the U.S. hosted 55% of the attacks, compared to 74% of the attacks in February. Interestingly—Hong Kong, which was in 3rd place last month, now occupies the number 2 position, with 15% of the attacks (compared to only 2% during February). South Korea and China are two additional Asian countries that joined the top-5 hosting countries this month, while Russia did not make the list at all.
RSA, RSA Security, FraudAction, eFraudNetwork and the RSA logo are either registered trademarks or trademarks of RSA Security Inc. in the United States and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and services mentioned are trademarks of their respective companies.
FRARPT DS 0407