New Phishing Toolkit Uses Whitelisting To Keep Scams Alive

Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims.

The new toolkit, dubbed “Bouncer,” was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia, said Daniel Cohen, Head of Business Development for Online Threats Managed Services at RSA.  The kit allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a “404 page not found” error message, Cohen said.

In phishing attacks, attackers pose as a legitimate online entity in an attempt to obtain a user’s username, password or other sensitive information. Phishing attacks often rely on imposter web sites to trick users into giving up their secret information. The discovery of “Bouncer” underscores the increasing sophistication of online crime software packages.

The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature is intended to keep prying eyes – including security firms and anti-phishing organizations – from discovering the scams, Cohen said.

The new kit was the subject of a blog post by  Limor S Kessem, Cybercrime and Online Fraud Communications Specialist at RSA on Tuesday. Other phishing attack kits have long incorporated static IP address “blacklists” that will block known security firms. Bouncer’s use of the whitelisting concept is novel, RSA said.

Cohen said that RSA staff discovered the attack around two weeks ago. The malicious links were sent in an email that posed as a warning from a credit card firm. Clicking on the link would bring victim’s to a hijacked server that would validate the unique victim URL, comparing it against a list of URLs for that specific attack.

Attackers exploited vulnerable WordPress plugins and other known vulnerabilities to take over reputable sites and use them in the scam, RSA said.

For each intended victim who clicks on the malicious link, the Bouncer kit dynamically creates a custom web site for that victim in a subdirectory on the same compromised server and uses that to capture the victim’s banking credentials.

Cohen said the extra effort may be evidence that those behind the scam are after “quality data” from customers that justified the extra work needed to identify and target individuals.

While not foolproof, whitelisting may be enough to throw off security companies who are processing millions of phishing attack sites each day. “There are plenty who will see the 404 (Page Not Found) message and just shrug and move on, Cohen said.

RSA doesn’t know yet how many people fell victim to the account. Forensic analysis suggests that each campaign using the Bouncer kit targeted an average number of 3,000 recipients, organized alphabetically by email address. The targeted individuals included webmail users, corporate e-mail addresses and bank employees, Kessen wrote. That suggests the attack aggregated different spam lists or data dumps. RSA wouldn’t say how many potential victims actually fell for the scam, but Cohen said the observed open rates that were “very low – in the single digit percentages.”

The provenance of the new bouncer kit isn’t known, though Cohen said cursory analysis of it suggests it is of Russian origin, based on the sophistication of the coding and other clues. The attackers were likely a “gang or a fraud service vendor supplying credentials to specific geographical regions and targets,” Kessen wrote in his blog post.

Writing on the RSA blog, Kessem said that the number of phishing attacks grew by 59% year on year in 2012, with 445,004 unique attacks identified. The total cost of fraud linked to those attacks is estimated to  $1.5 billion dollars – 22% higher than the losses recorded in 2011.


  1. Pingback: The Nightclub Bouncer Phishing Scam | Maildistiller

  2. Pingback: US Congress Used BitTorrent to Steal Movies, TV | Technophile

  3. Pingback: Shortcomings of anti-phishing blacklisting « Dave Waterson on Security