FRAUD REPORT PHISH LOCKERS OUT IN THE WILD August 2013 RSA researchers have been increasingly witnessing the activity of highly targeted Trojans, dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The Trojans are deployed as a means to present online users with a phishing page that is generated by malware, while locking the desktop, hence the name. This type of malware is not defined as a banking Trojan in the traditional sense. It is basic malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit or otherwise able to actively monitor online activity, keylog or perform web injections. Phish lockers were observed attacking banks in Latin America earlier this year, where local pharming is a very common attack method. However, the lockers are now starting to show up in new regions, attacking one or more banks at a time. INSIDE THE PHISH LOCKING ROOM Much like most banking Trojans, phish lockers are activated by trigger. When an infected user logs into a website contained on the malware’s trigger list, the Trojan becomes active. However, unlike banking Trojans, phish lockers don’t have a classic configuration file. Most of the information is hardcoded into the malware and therefore cannot be changed on the fly. The malware is compatible with all major browsers including Internet Explorer, Firefox, Chrome, and Opera. The first visible action that the user will see is the browser window being shut down, then the desktop’s START button disappearing (a common occurrence with ransomware, for example). Based on the URL initially typed into the browser, the Trojan will pop-up a corresponding web form that looks exactly like legitimate web page, but is actually a phishing page.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
F R A U D R E P O R T
PHISH LOCKERS OUT IN THE WILD
August 2013
RSA researchers have been increasingly witnessing the activity of highly targeted Trojans,
dubbed ‘Phish Lockers’, used at the hands of cybercriminals to steal credentials. The
Trojans are deployed as a means to present online users with a phishing page that is
generated by malware, while locking the desktop, hence the name.
This type of malware is not defined as a banking Trojan in the traditional sense. It is basic
malicious code that can manipulate certain actions on an infected PC, but it is not a rootkit
or otherwise able to actively monitor online activity, keylog or perform web injections.
Phish lockers were observed attacking banks in Latin America earlier this year, where
local pharming is a very common attack method. However, the lockers are now starting
to show up in new regions, attacking one or more banks at a time.
INSIDE THE PHISH LOCKING ROOM
Much like most banking Trojans, phish lockers are activated by trigger. When an infected
user logs into a website contained on the malware’s trigger list, the Trojan becomes
active. However, unlike banking Trojans, phish lockers don’t have a classic configuration
file. Most of the information is hardcoded into the malware and therefore cannot be
changed on the fly. The malware is compatible with all major browsers including Internet
Explorer, Firefox, Chrome, and Opera.
The first visible action that the user will see is the browser window being shut down, then
the desktop’s START button disappearing (a common occurrence with ransomware, for
example). Based on the URL initially typed into the browser, the Trojan will pop-up a
corresponding web form that looks exactly like legitimate web page, but is actually a
phishing page.
page 2
The phish locker malware usually comes with a few hardcoded web forms, each requiring
a relevant set of credentials from infected bank customers. Usually, the information
requested by the malware corresponds with phishing attacks targeting the particular
bank. For example, if the bank uses out-of-band SMS for transaction verification, the form
might have a request for the user’s mobile number.
When banking Trojans infect user machines, they
are present on the device and can log a user’s
keystrokes and steal documents, certificates,
cookies and other elements dictated by the
botmaster. Banking malware regularly sends logs
of stolen information to its operator, using pre-
defined domains as communication resources.
Phish lockers on the other hand, are not designed
to carry out such complex activity and use basic
methods to transmit stolen data such as email.
In order to facilitate sending emails from the
infected PC, the malware’s author programmed it
to use Extended SMTP, predefining a sender and a
few recipients that will act as a fallback
mechanism in case the data gets intercepted or
the mailbox blocked/closed for some reason.
Yet another differentiator that separates banking Trojans from phish lockers is the mode of
activity. While banking malware steals and listens for data at all times when the browser is
open, the locker closes the browser altogether, and then does the stealing. Once the
information from the locker’s web forms is sent, the malware remains inactive and does
not carry out any other malicious activity on the PC, allowing the user to regain control.
CONCLUSION
It is rather interesting to see Trojans of this type, which are considered very basic when
compared to most banking Trojans in the wild. It is even more interesting to see them
appearing in geographies where banking security is considered to be very advanced.
This phenomenon may be linked with the trend towards privatization of banking Trojans.
This has created a barrier for many cybercriminals as they are denied access to purchase
more advanced malware kits to launch attacks. This could be perhaps be pushing some
cybercriminals to write and deploy simple malicious codes that will at least get their dirty
CONTACT USTo learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller – or visit us at www.emc.com/rsa