Attacks/Breaches
1/15/2013
10:13 PM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

New 'Bouncer List' Exploits Turn Phishing Into Clubbing

Targeted email attacks mirror your favorite night club; if you're not on the list, then you don't get in

In the old days, phishing worked like spam -- the more users it hit, the more successful it was considered to be. But a new attack concept uncovered this week turns fraudulent email attacks in the opposite direction.

A new, laser-targeted form of spear-phishing is the subject of a blog posted Tuesday by security researchers at RSA.

The new attack is called "bouncer list phishing" because it works like the bouncers at your favorite night club -- if users are not on the list, then they don't get phished.

"The bouncer phishing kit targets a preset email list for each campaign," the blog explains. "A user ID value is generated for the targeted recipients, sending them a unique URL for access to the attack. Here's the interesting part – much like a night club's bouncer list – any outsider attempting to access the phishing page is redirected to a '404 page not found' error message." RSA compares the attack to a "black hat whitelist."

"When victims access the phishing link, their name has to be on the list and their 'ID' value is verified on the fly as soon as they attempt to browse to the URL," the blog states. "After a scan of the "bouncer list," unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for.

"As for validated users -- the less fortunate that are let in -- the kit immediately generates an attack page, creating it on the very same hijacked website," the blog continues. "The kit's code is programmed to copy pertinent files into a temporary new folder and send victims to that page in order to steal their credentials.

"After the kit collects victim credentials, it sends them to yet another hijacked website -- taken over using the exact same method of vulnerability exploit and web-shell -- where the password-protected attack page lies in wait to steal user credentials," the blog explains.

The attack is a complete reversal of traditional phishing attacks designed to infect as many users as possible, the blog observes. "...the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes," RSA states. "Keeping out uninvited guests also means avoiding security companies and prompt takedowns of such attacks."

The highly targeted approach is likely the work of a gang or a fraud service vendor supplying credentials to specific geographical regions and targets, RSA postulates.

Scott Greaux, vice president of product management and services at anti-phishing service PhishMe, doesn't expect the new tactic to make a huge impact on enterprises.

"While phishing kits are an interesting technology, they are more consumer-focused in nature, and I don't expect to see them incorporated by the types of APT attacks that we've seen targeted at large organizations," Greaux says. "Phishing kits are not personalized and thus don't employ what we've found to be the most effective weapon a phishing email can use: personal details that make it appear genuine.

"However, the increased sophistication and prevalence of phishing kits underscore the need to train employees to recognize all types of phishing emails," Greaux states. "A savvy user will be able to recognize the signs of a suspicious email -- regardless of whether it's from a phishing kit or is a traditional spear phish -- and react appropriately."

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.