HACKTIVISM AND THE CASE OF SOMETHING PHISHY

May 2013
While it is true that most cyber attacks orchestrated by hacktivists focus on DDoS onslaughts targeting authority-type entities and banks, all too many times they add a sting to the operation and hack into immense databases containing personal user information. On their quest for notoriety and media attention to make a statement, critics say that hacktivists tend to cross the line when they publicly release untold amounts of data, providing links to the trove and facilitating its free-for-all download. Some hacktivists will call out every target on their list and post their threats publicly and well in advance, while those targeted will prepare to fend off the attack and advise users as needed. But at the end of the day, it is often the innocent online user that takes the hardest hit when their information is leaked across the Internet.

HACKTIVISTS OUT, PHISHERMEN IN

In one of the largest hacks perpetrated in the name of hacktivist ideals, the end result, beyond the damaged brand reputation of a multinational corporation, was a public leak of account information belonging to nearly 25 million Sony Entertainment users. That was about a third of a previous leak of over 70 million accounts, also inflicted by hackers operating in the name of an opinion they formed and acted upon. Taking the Sony case as just one example, because hacktivist cases such as these have been increasingly plaguing the Internet, it is clear that the one party that did not expect the hack other than Sony, of course were the millions of ordinary users whose data was offered up freely thereafter. Those same users were also the ones who did not have advisors, lawyers and information security experts to help them recover from the actual and potential damages of the hack and its possible effects on their identities and personal finances.
FRAUD REPORT

For fraudsters, the large-scale hacks are like candy. Hacktivists will set up publicly available download links for anyone to be able to see the exposed databases, their hunting trophy, and end their part there. But as soon as the links are public, cybercriminals and fraudsters will access and download it before it is taken down by the hosting authorities. By that time, the real damage to the end user is done. Large hacks containing a database replete with email addresses, not to mention payment cards or other financial data, are an attractive reward for phishers to come for and discuss in underground communities. Instead of having to do their own hacking, collecting and stealing, they can enjoy the spoils and bank on the freshly dumped data, compliments of zealous hacktivists, paving a shortcut to a variety of fraud scenarios including:  Monetizing gaming account credentials by selling them to other gamers  Enjoying a list of valid email addresses to target with phishing spam  Leading potential victims to phishing and malware sites and getting paid per install  Harvesting financial information that can be sold to fraudsters and CC shops  Using leaked and stolen data for fraud and identity theft  Checking what other accounts a user has, because as recent research shows, 61% of accounts are set-up with passwords used on other consumer accounts. Its easy to see how an attack that stems from idealistic motivations, targeting very large entities and supposedly conceived in order to protect peoples rights to information, ends up serving the fraudsters and flooding the Internet with confidential data. With the variety of actors that gain access to information publicly posted online, hacktivists end up inadvertently damaging the very people whose interests they claim to represent.

CONCLUSION
The number of phishing attacks recorded monthly is known to vary, fluctuating upwards and downwards, and theres limited capability to forecast a trend that is so dependent on fraudster resources. Although totals are often tricky to predict, some seasonal trends do repeat every year such as the holiday shopping season when a rise in phishing is almost expected. Adding to that list, we can include large database hacks that release the information on millions of users into the wild. Phishing attacks in April 2013 have so far only shown a moderate increase over the previous month, but with constant headlines such as the recent announcement of over 40,000 Facebook accounts allegedly hacked, we may just see a rise before the quarter is out.

page 2

Phishing Attacks per Month In April, RSA identified 26,902 attacks launched worldwide, marking a 10% increase in attack volume from March.

60000
51906

59406

50000 40000 30000 20000 10000 0

35558 37878

49488 41834 35440

33768 29581 30151 27463 24347 26902

350 300 Number of Brands Attacked In April, 311 brands were targeted in phishing attacks, marking a 20% increase from last month. Of the 311 targeted brands, 52% endured five attacks or less. 250 200 150 100 50 0
Apr 12 May 12 Jun 12 Jul 12 Aug 12
288 298 259 242 290

314 269 284 257 291 257 260

311

Source: RSA Anti-Fraud Command Center

page 3

Source: RSA Anti-Fraud Command Center

Jan 13

Feb 13

Mar 13

Apr 13

Apr 12

May 12

Jun 12

Jul 12

Aug 12 Sep 12

Sep 12 Oct 12

Oct 12 Nov 12

Nov 12 Dec 12

Dec 12 Jan 13

Feb 13

Mar 13

Apr 13

100

US Bank Types Attacked U.S. nationwide banks continued to be targeted by the highest volume of phishing attacks (73%) in April, while regional banks saw a slight decline from 20% to 12%.
80

7% 11%

20%

10% 12%

11%

11%

9%

9%

12% 9%

6% 15%

15%

8%

17%

15%

18%

15%

15%

14%

14%

15%

23%

23%

12%

60

40

20
82% 62% 78% 74% 74% 77% 77% 79% 79% 70% 69% 60% 73%

Australia

South Korea

Canada

China

Germany

UK

Canada 4% Netherlands 4%

Top Countries by Attack Volume The U.S. remained the top country on the chart, targeted with 46% of the total phishing volume in April. The UK accounted for 11% of the attack volume, a 2% decline from March while South Africa remained the same with 9% of attack volume.

India 8%

South Africa 9% U.S. 46%

United Kingdom 11%

48 Other Countries 18%

Source: RSA Anti-Fraud Command Center

Apr 12

May 12

Jun 12

Jul 12

Aug 12

Sep 12

Oct 12

Nov 12

Dec 12

Jan 13

Feb 13

Mar 13

Apr 13

page 4

US

S Africa

China

Italy

Canada

Netherlands

India

Bra

Brazil 4% Australia 4%

49 Other Countries 46%

Top Countries by Attacked Brands U.S. brands were targeted by 29% of total phishing volume in April, followed by brands in the UK at 10%. Brands in India, Australia and Brazil were collectively targeted by 15% of phishing volume.

India 7%

United Kingdom 10%

U.S. 29%

US

S Africa

Russia 3% China Italy Netherlands 3%

Canada

Netherlands

India

United Kingdom 4%

Top Hosting Countries The U.S. remained the top hosting country in April, hosting 47% of global phishing attacks (down 4%). Germany, Canada, the Netherlands, UK and Russia together hosted just over 20% of additional volume.

Canada 5%

Germany 6%

U.S. 47%

61 Other Countries 32%

page 5

CONTACT US
To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at www.emc.com/rsa

www.emc.com/rsa

2013 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. MAY RPT 0513