Here is how this new attack method works: Emails with links, obfuscated by the use of HTML or a URL shortening service, direct victims to a free-hosted web page.  In some cases, this page would be a phishing or malware site.  In other cases, the landing page would have Javascript which would seamlessly redirect users to a malicious site hosted on a fast-flux botnet.

The free hosting-fast-flux combination is particularly interesting because it indicates cybercriminals have added another, front-end layer to their fraud infrastructure for greater stealth and resilience:

• Layer 1: Free-hosted webpages with Javascript redirectors
• Layer 2: Constantly changing compromised PCs that serve as proxy redirectors
• Layer 3: Phish or malware domains

The SOC believes free hosting services are becoming popular with cybercriminals because these services give cybercriminals unlimited free resources to launch their attacks and to protect their expensive fast-flux infrastructures.

In addition, cybercriminals are able to set up malicious sites on free hosting services much more easily than registering malicious sites with ISPs or registrars.  Typically, cybercriminals would register their malicious sites using stolen credentials.  With free hosting services, cybercriminals may now open accounts and set up their malicious sites by simply using email addresses created on free email services.

MarkMonitor’s SOC believes that this new development of free hosting combined with fast-flux, especially as seen this month, suggests the tell-tale signs that something on a larger scale may occur this summer.  The emergence of free hosting front-ends to fast-flux botnets may indicate that cybercriminals have been beta-testing their new attack infrastructure in recent months before a general release in August, the historical high point of phishing each year.  Stay tuned …

The headline findings of the April 2010 Fraud Intelligence Report are:

Phishing Attack Volume Continues to Grow

Phishing attack volume increased 33% to 36,557 attacks in April, continuing the growth trend from March; however, phishing attack volume has not returned to the level seen in April 2009.

Fewer Organizations Targeted

The number of targeted organizations decreased 9% to 270 in April, reversing a growth trend that began after December 2009, but the current level has returned to the level seen in April 2009.

Attacks per Organization Grow

Monthly attacks per organization grew 27% to 135 in April, suggesting a return to concentrated attacks on lucrative targets.

Payment Services Sector Continues as Most Popular Phishing Sector

The Payment Services sector was the primary sector favored by phishers, accounting for 41% of phish attacks in April. The Financial sector, historically the most popular phishing sector, accounted for 33% of phish attacks.

Social Network Phish Volume Declines

Phish targeting social networks declined 24% to 1,379 attacks in April, reversing the steep growth observed in March.

The US Continues to be Most Popular Phish Hosting Country

The US continued as the predominant country hosting phishing sites, accounting for 52% of phishing attacks in April. A notable new development was that Bulgaria grew almost 9,600% to jump from the #47 position to #2 and accounted for 6% of total phish.

An important major trend underlying the above points is that phishers have shifted their primary attack vector from fast-flux botnets to hacked websites. Phishing attacks hosted on fast-flux botnets hide behind a cloud of rapidly changing proxies but ultimately present a single point of failure – the malicious domain.  Cybercriminals registered domains for multiple fast-flux phishing attacks targeting many brands. But these domains, and the multiple phishing attacks they hosted, could be detected (often preemptively), Fraudcasted, and shut down in high volumes.

In the meantime, hacked website-based phishing attacks became more prevalent. In these attacks, cybercriminals compromise legitimate domains and host their phish attacks on the subdomains. This effectively removes the single point of failure in fast-flux phishing attacks – now there is no malicious domain to detect, Fraudcast, and shut down. From the fourth quarter of 2009 onwards, the MarkMonitor Security Operations Center observed a dramatic decline in phishing attacks hosted on fast-flux botnets and an equally dramatic rise in phishing attacks hosted on hacked websites.

Download the report here: MarkMonitor Fraud Intelligence Report, April 2010

While gift card scams themselves have been around for years, what is new here is that they are being delivered through new channels. In the early days of the Internet, consumers would typically come across these scams via spam email or web advertisements. With the advent of Web 2.0, these gift card scams are now showing up on popular B2C marketplaces – such as Craigslist and eBay – as well as social media sites, including Facebook and Twitter.

These scammers (typically unscrupulous affiliate marketing firms) understand social engineering tactics well and exploit them to optimize their campaigns. For example, many of the scams create a sense of urgency to respond (a tactic often used in phishing scams) to maximize response rates. In one scam, a $1000 Best Buy gift card is offered to the first 20,000 people who sign up. In the IKEA example mentioned above, the gift card offer expired in 24 hours. Scammers also understand the viral nature of social networks and leverage the trust built among friends and colleagues to quickly spread the scams. For example, in several gift card scams, including a $500 Target gift card scam, consumers must suggest the page to all their Facebook friends in order to be eligible for the promotion.

What is the harm in falling for one of these scams? In short, plenty. In order to receive a gift card, consumers are typically asked to divulge their email address, along with other personal information, including mailing address and phone number. Once this information is captured, consumers are sometimes asked to complete a series of surveys. Then, consumers are usually required to signup for roughly a dozen offers that often cost more than the value of the ‘free’ gift card which they may or may not receive in the end. Meanwhile, the affiliate marketing firm has captured a wealth of information that it sells to third parties and telemarketers. As a result, consumers who fall for these scams reportedly receive around 30 junk emails per day, numerous unwanted telemarketing calls and sometimes even costly text messages sent to their cell phones. Plus, they end up subscribing to services they never wanted in the first place.

Sometimes it gets even worse. The goal of a recent $500 Whole Foods gift card scam was identity theft by leveraging malicious software, or malware. In this scam, consumers were required to complete a credit assessment form that left their personal information exposed before the malware crashed their computers.

If brand owners are in no way involved in or had any knowledge of these scams, what is the harm to them? Again, plenty. If not handled adeptly, any bad customer experience associated with their brand can significantly damage the reputation of their brands for years to come and the trust consumers have with those brands. If consumers are continuously annoyed by unwanted solicitations and junk mail, they will surely remember the event that triggered it all.

So, what can brand owners do? While these types of scams involving social networks are difficult if not impossible to prevent, several brand owners have taken proactive measures to warn and safeguard their customers against these scams. Some best practices that can be gleamed from their actions include:

• Report the scam to Facebook or other Web 2.0 site to have the scam removed.  Facebook offers a process and complaint form for reporting trademark violations on its site. 
• Warn consumers of the scam through various mediums, including:
  • the official company Facebook page (see Whole Foods example)
  • the corporate website (see Walmart example)
  • an official tweet on Twitter (see Whole Foods example)
  • the official company fan site (see IKEA example)
• Continuously monitor social media networks and other Web 2.0 platforms for new scams and respond swiftly

In addition to brandholder efforts, Facebook is also taking proactive measures to identify and shutdown these types of scams on its own and has started building an automated system to detect these types of scams before they are reported.  It is clearly in the interest of Facebook and other social media sites to maintain a trusted and safe environment for their users.   

Scammers are always coming up with new ploys, and the ongoing evolution of the Internet presents them new opportunities and angles. The challenge for brand owners is to be always vigilant of where and how their brands are being used online and to respond expediently and appropriately when these abuses do arise.  In doing so, brand owners will not only preserve the integrity of their brands, but also the privacy and trust of their customers.

Here’s how it works. Emails which offer a free one-year warranty extension for a popular smartphone, link to a company-branded web page. That web page asks for an email address and then smartphone serial number, IMEI number, type of phone, and capacity of phone. See below for examples of the phishing web page.

Cybercriminals use the information requested on the web page to clone the smartphone for various uses, including stealing long-distance service from the subscriber or simply using a deniable, disposable smartphone for other criminal activities. In effect, the cybercriminals used phishing techniques to clone smartphones.

This recent attack also stands out because it utilizes some advanced technologies and suggests possible directions of future cybercriminal activity. First, the attack uses server-side logic that hides the phishing site unless it is accessed through the browser produced by the smartphone company. Second, the attack uses additional protective technology in the form of a fast-flux network, which hides the phishing site behind a dynamic network of ever-changing proxies. These two smart technologies demonstrate how cybercriminals continue to focus their efforts on making their attacks targeted, stealthy, and resilient.

One particular fast-flux botnet called Avalanche has received much attention in recent months as a major platform for hosting phishing sites. What has not been discussed as much is how the distinction between phishing and malware has ceased to exist.

Avalanche offers a prime example of how blended attacks are launched from a fast-flux botnet platform. Arbor Networks reported earlier this month that the cybercriminal gangs behind the Avalanche botnet and the Zeus/Zbot malware have entered a partnership whereby the Zeus malware gang is using the Avalanche fast-flux botnet to launch its attacks. “We appear to be seeing one of the groups, Avalanche, promoting Zeus malware,” observed botnet security researcher Jose Nazario. “They don’t compete, and they both have good market positions, so they can grow each other.”

Recent blended attacks hosted on Avalanche reported this month targeted a major credit card company and a large Spanish bank operating in Latin America. Cybercriminals have teamed up their best-of-breed fast-flux and malware capabilities. MarkMonitor AntiFraud anticipated these developments with its unique preventive capabilities for preemptively detecting and shutting down fast-flux-based phishing and malware attacks.

More details about recent blended attacks hosted on the Avalanche platform:

December 11: http://news.zdnet.co.uk/security/0,1000000189,39933618,00.htm
December 12: http://garwarner.blogspot.com/2009/12/ongoing-visa-scam-drop-zeus-zbot.html
December 22: http://garwarner.blogspot.com/2009/12/donde-se-va-avalanche-bbva-y-united.html