Angry Birds impersonated to distribute malware

As part of Netcraft's ongoing work in providing anti-fraud and anti-phishing services, we have recently discovered a significant number of Russian language attacks targeting users of popular pieces of software, including well known brands such as Angry Birds. This type of attack can be particularly successful as it exploits a user's trust in a brand. Malicious downloads for Android phones are becoming an increasingly common attack vector.

Angry Birds is a video game franchise created by Rovio Entertainment. The franchise gained popularity on Apple's iOS platform, and has since become available on all popular mobile and desktop operating systems. With over 1 billion downloads, and over 250 million active users, the franchise has become iconic in the marketplace — the original game and its variants are frequently seen in top ten app lists, so is continually attracting new users.

Angry Birds is impersonated to push malware.

Distributing malware purporting to be genuine software isn't a new tactic — Angry Birds has been a victim of this before. In this case smartphone users were hit by premium rate phone scams.

However, lately we have seen an increase in attackers taking additional measures to prevent their sites being found and taken down by the anti-phishing community. Restricting access to a site by country is one tactic that is becoming increasingly common. This is usually achieved via IP filtering; however Netcraft has seen attacks restricting access based on Accept-Language and User-Agent headers — one particular type of attack purported to provide a browser update, varying the brand impersonated depending on the User-Agent submitted.

Many of the attacks Netcraft has observed have been primarily composed of Russian language content, and restricted to IP addresses located in Russian-speaking countries. On another site impersonating Angry Birds, we found that when accessed from a proxy based in Russia, malware was distributed; however when attempting to download the content through a different proxy (located in Australia in the below example) we were redirected to Google.

IP filtering, amongst other measures taken by fraudsters, makes identifying and classifying phishing sites more difficult both for anti-phishing vendors and for hosting companies responding to abuse notifications.

You can protect yourself against phishing sites by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.

Fake Mulberry stores promoted by hacked sites and black hat SEO

Mulberry — well known for its luxury fashion accessories — is currently being impersonated by fake online stores which have successfully promoted themselves to the first page of search engine results by planting malign JavaScript on hacked websites.

The hacked sites display various descriptions of Mulberry products, and also include hyperlinks to the fake Mulberry sites. Both help to make the fake sites seem more relevant to search engines; indeed, the fake stores can even be reached from the first page of organic Google search results for the search term "Mulberry".

The injected scripts are sourced from an external site hosted in China, but which uses the .la country code top-level domain. This ccTLD belongs to the Lao People's Democratic Republic, but is actively marketed as a top-level domain for the US city of Los Angeles. Although the fake store associated with the above screenshot uses a UK ccTLD, it is actually hosted by root S.A. in Luxembourg, and shares the same netblock as kim.com and several bittorrent sites, including a mirror of The Pirate Bay, allowing the site to be accessed from countries where ISPs were ordered to implement blocks against the original Pirate Bay site.

Such underhanded methods of search engine optimisation (SEO) are not unusual, and can potentially outperform traditional spam-based marketing. For instance, there is likely to be a much larger conversion rate among customers who are actively searching for a specific product than there would be among recipients of spam, many of whom would have no intention of buying anything, and – thanks to spam filters – may not even receive the spam in the first place. With such low returns on spam-based marketing, a huge number of emails would need to be sent in order to achieve a worthwhile return, which would only serve to draw more – possibly unwanted – attention to a fake site.

Some of the hacked sites which appear on the first page of a Google search for "Mulberry" lend further credibility to the scam, making it appear as though the products for sale have received thousands of reviews and near-perfect ratings. However, clicking on these links causes the user to be redirected to one of the fake stores, such as http://www.mulberryeshop.co.uk.

Even if you arrive at a website via a trusted search engine, Netcraft's site reports can help you make informed decisions about whether that site itself should be trusted. For example, Netcraft's site report awards a Risk Rating of 9/10 to www.mulberryeshop.co.uk, whereas the legitimate site, www.mulberry.com, has a rating of 0/10. Such ratings are conveniently accessible to users of the Netcraft browser extension, which is available for Firefox and Chrome.

Other obvious clues to look out for are the lack of an encrypted HTTPS connection when logging in to the site, and the WHOIS record for the domain reveals that "the registrant is a non-trading individual who has opted to have their address omitted from the WHOIS service."

A fake Mulberry online store, hosted in Luxembourg

Brand owners can also take the initiative to protect both themselves and their customers. The fake store shown above was detected last month by Netcraft's phishing, identity theft and fraud detection service, demonstrating how brand owners can receive early warnings of such attacks.

Mulberry's extraordinary success over the past five years (LON:MUL) has made it an attractive brand to target, even though its shares dropped by 16% last month. This drop followed a profit warning, which revealed weaker than anticipated trading post-Christmas. It is plausible that a multitude of fake stores, with good search engine rankings, could have contributed towards this reduction in revenue.

Bitcoin success attracts hacking, phishing, and fraud

Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax haven — had an economy worth an estimated $1.275B in 2008.

Speculators, investors, and criminals alike have been drawn to the alternative currency in the hopes of exploiting its anonymity, its almost exponential rising exchange rate against conventional currencies, and its dominant position amongst non-governmental currencies. Its attraction to criminals is diverse: it has become the de facto equivalent of cash facilitating anonymous purchases of illegal goods, and the dramatic increase in the value of each Bitcoin has meant that Bitcoin wallets have become increasingly attractive targets for would-be phishers.

Mt. Gox Phishing Site

A recent phishing attack against the leading Bitcoin Exchange, Mt. Gox

Bitcoin users are no strangers to being targeted by criminals: last month, attackers were able to steal $12,000 worth of Bitcoins from Bitinstant, a Bitcoin transaction services company, by obtaining the credentials for a brokerage account after socially engineering access to their emails. Malware writers have also targeted Bitcoins: Infostealer.Coinbit is a Trojan horse that tries to steal Bitcoin wallets. Criminals have also been using networks of infected computers to mine Bitcoins for themselves.

Bitcoin exchanges, organisations converting between Bitcoins and conventional currencies, are an obvious target for fraudsters. Last Thursday Mt. Gox (the leading Bitcoin exchange) faced a “stronger than average” DDoS attack. In September 2012 Bitfloor (another Bitcoin exchange) suspended operations after the theft of ~24,000 BTC (worth $250,000 at the time), and the Bitcoin exchange, Bitcoinica, went out of business after also suffering from large thefts.

Despite the apparent risk of operating in this business, some organisations are promoting a laissez-faire attitude to security to the Bitcoin community: BitPay recommends that merchants "[..] can eliminate the need for PCI Compliance and expensive security measures" by replacing credit card transactions with Bitcoin-based solutions.

Netcraft can provide Phishing Site Takedown and Countermeasures services, PCI Approved Vulnerability Scanning and Penetration Testing to Bitcoin exchanges, merchants, and e-commerce sites. For more information, please contact sales@netcraft.com. Internet users can be protected against phishing sites, Bitcoin-related or otherwise, by Netcraft's Anti-Phishing Extension. Help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at http://toolbar.netcraft.com/report_url.

Phishing by proxy

Netcraft's toolbar community has reported an increase in the deployment of malicious scripts which direct webmail and online banking traffic through rogue proxy servers. These proxies allow attackers to steal usernames and passwords when forms are submitted, or use victims' cookies to hijack already-authenticated sessions.

The attacks rely on malicious proxy auto-config (PAC) scripts, which are remotely hosted and instruct a victim's web browser to proxy certain requests according to the specified configuration. Other requests are left untouched and end up being transmitted directly to the intended websites. The selective behaviour could perhaps be an attempt to limit the amount of traffic an attacker would need to process to extract sensitive information; alternatively, it could be an attempt to make detection more difficult — the results from services such as whatismyip.com may not be indicative of whether or not traffic was being intercepted.

Part of a malicious PAC script, which uses a proxy server hosted in Brazil

The PAC script shown above defines a JavaScript function – FindProxyForURL(url, host) – which is called by the browser. The full implementation of this function lets the attacker specify which URLs or hostnames should be requested directly, and which should be proxied. In the above example, requests to Banco do Brasil's website will be transmitted via the attacker's proxy server.

By using the Web Proxy Autodiscovery Protocol, a correctly positioned attacker could plausibly trick victims into using his phishing proxy without their knowledge. Although this feature is not enabled by default, many corporate environments may enable it in order to reduce the administrative overhead of manually configuring employees' laptops and other mobile devices to use proxies. If these devices are subsequently connected to an untrusted wireless network – which is controlled by an attacker – the WPAD discovery process would provide the attacker with a mechanism through which he can introduce arbitrary proxy scripts into browsers.

Alternative methods of attack include somehow enticing users to manually edit their proxy settings (perhaps by falsely claiming that it would result in performance benefits), or manipulating the settings via malware running on the user's computer. Similar malware-driven attacks have been around since 2008 and offer the attacker the additional advantage of being able to ensure that the malicious proxy settings cannot be tampered with.

Previous attacks using this technique originally targeted customers of Brazilian banks, but the fraudsters have since widened their scope and now also proxy traffic destined for webmail services such as Hotmail and Gmail, American banks, and one of the world's most popular phishing targets – PayPal.

To mitigate such attacks, it would be wise to avoid using automatic proxy detection settings on untrusted networks, and to also ensure your browser's automatic proxy configuration URL does not contain an unexpected address.

Netcraft removes phishing attacks in less than half the industry average time

Netcraft’s phishing site countermeasures service helps organisations targeted by phishing attacks remove the fraudsters’ forms as quickly as possible.

Recently we became aware that our median times for takedowns are very much better than the industry average calculated by the Anti-Phishing Working Group (APWG) in its most recent Global Phishing Survey. The APWG found that phishing attacks have a median lifetime of 5 hours and 45 minutes. In contrast, banks and other companies using our countermeasures service have experienced a median phishing attack availability of 2 hours and 12 minutes calculated over our most recent 100 takedowns, with the attacks removed in just 38% of the industry average time.

The graph below shows the availability times of our most recent 100 phishing attacks.

Last 100 Takedown Times

The difference between the first and final outages reflect the fact that phishing attacks will sometimes fluctuate up & down on compromised hosts where the fraudster may still have access to the system and be able to replace his content after the site owner removes it. In this scenario it is important to continue monitoring sites for some time after they go offline and restart takedowns if & when the phishing content reappears. For example, 87% of phishing attacks we attended to had their first outage within 24 hours, and 90% had their final outage within 48 hours.

Takedown times do vary significantly from country to country. For example, all of our last 100 takedowns in the US were completed within three days, and 90% had their first outage within 12 hours. In contrast, takedown times in Russia are rather longer, albeit with 90% going down within three days, and 70% having their first outage within twelve hours.

Russia and the US are by no means the long and short of phishing attacks. Phishing attacks we dealt with in the UK & Ireland have a shorter median lifetime than those hosted in the US, whilst phishing attacks we have taken down in Iran have a median lifetime of just under 30 hours, around five times longer than Russia.

In addition to providing fast takedown of the fraudulent content, the countermeasures service is also linked to our phishing site feed, which is licensed by all of the main web browsers, together with many of the largest anti-virus and content filtering products, firewall and network appliance vendors, mail providers, registrars, hosting companies and ISPs. Consequently, as soon as the phishing attack is verified, access to it will be blocked for hundreds of millions of people shortly afterwards, significantly reducing the effectiveness of the attack even before it has been removed.

More information regarding our countermeasures service can be found here.

World map of phishing attacks

Netcraft's new phishing attack map provides a real-time visualisation of the phishiest countries in the world. Measurements are determined by using IP address delegation information to attribute current phishing sites in our Phishing Site Feed to countries. We then use the number of active sites found by our Web Server Survey to calculate and display the ratio of phishing attacks to web sites in each country.

A few themes become immediately apparent when studying the map. Countries with poor internet access may host very few phishing attacks, or even none at all, and therefore may appear very safe; however, countries with an extremely small number of websites can prove very volatile: For example, the Falkland Islands appears incredibly phishy by virtue of the fact that out of only 38 active sites hosted in that country, one of them is currently blocked for phishing.

Countries which respond slowly to taking down phishing sites are more likely to have a higher proportion of their sites engaged in phishing at any one time. As the map displays only currently blocked phishing attacks, this characteristic is highlighted particularly well in Morocco, which is the second phishiest country with nearly 200 of its 11,000 sites blocked.

Fraudsters commonly host their phishing sites on compromised servers, as this does not require a purchasing transaction, making it more difficult to correctly identify the perpetrators. Shared hosting services tend to be the least secure, so countries with a large number of sites running on shared hosts are likely to attract the attention of fraudsters.

Countries which host a large number of vulnerable and commonly targeted web applications consequently host a large number of phishing attacks, notwithstanding their responsiveness to takedown requests. This perhaps explains why the US appears phishier than either Russia or China, and some US hosting companies host more phishing attacks than entire European countries, as they provide proportionately more WordPress and hosting control panel administered sites, plus shared IP hosting configurations that allow customer content to be accessed from any domain that resolves to the same IP address. Our datasets show that these are the most favoured platforms for hosting fraudulent content on compromised servers.

More information:

Please contact us (sales@netcraft.com) for pricing or further details about any of our anti-phishing services.