One of the favorite tactics of businesses is to use ‘whitelisting’ to keep malicious visitors at bay, but now it looks as if cybercriminals have turned the tables on them, employing the same tactics so they can target specific victims, according to a new report by the RSA security firm.
The report describes how hackers have come up with a new concept of bundling so-called ‘phishing kits’ with whitelisting technology, so that only the intended victims can access malicious websites.
Hackers have employed this kind of tactic on a limited scale before, blacklisting IP addresses they know belong to computer security firms, but now they’ve taken the concept one step further – giving access only to those they target.
Researchers at RSA have dubbed the new tactic “bouncer list phishing”, and said that they first noticed the scam being used on customers of banks in Australia, Malaysia and South Africa at the end of last year. Each of the phishing campaigns they identified were restricted to an average of 3,000 people – a mix of corporate addresses, web users and the odd bank employee. RSA says that they may have stolen these ‘target lists’ from earlier security breaches.
Bouncer list phishing involves generating a unique ID for each victim they target, which hackers then embed in the URL that they hope to trick victims into clicking on. Should the victim click on the link, they will then be redirected to a ‘fake’ website that disguises itself as the bank’s own site, from where they will be asked to enter their login details or other personal information. Should anyone not on the list attempt to access the site, they will receive a “404 page not found” error message.
RSA says that the tactic could have several possible advantages for hackers. For one thing, it might serve to confuse security investigators into thinking that the phishing scam is no longer online, when in fact it is still active. In addition, it could be useful if the phishers only intend to target a certain demographic, such as people from a particular country – if the hackers have no desire to scam people outside of the US for example, it makes no sense in exposing other people to the malicious site, which only increases the chances of it being discovered.
“It holds this [bouncer] moniker because much like many high-profile night-time hotspots – if your name is not on the list, you’re staying out,” explains RSA cybercrime specialist Limor Kessem.
“Traditional phishers like to cast as wide of a net as possible. But with this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes.”
Kassem adds that this particular approach is likely to be the work of a professional gang that supplies credentials of possible targets according to specific geographic regions.
RSA’s report also warns that phishers are increasingly exploiting WordPress plugins as a means of accessing and compromising targeted websites. By attacking the plugins, hackers can hijack sites and upload what’s known as a ‘web shell’, before using these to fool targets in their phishing campaigns.
The full report from RSA can be read here.