Application security, Incident Response, Malware, Phishing, TDR

“Rock Phish” gang adds malware download to attacks

The so-called Rock Phish group of Russian criminals has launched what one security researcher calls a "double the trouble" attack that not only tricks victims into clicking on a link in a phishing email to give up personal information but also drops a trojan on the victim's PC at the same time.

The new attacks, uncovered by the Anti-Fraud Command Center (AFCC) of RSA, combine phishing and the Zeus trojan to steal personal information and spread what RSA calls financial crimeware.

Once it infects the victim's PC, the trojan can steal personal data such as usernames, passwords and Social Security numbers transmitted while interacting with other websites, according to RSA.

The Rock Phish gang is the "most competent phishing gang out there -- it's very effective -- and has taken phishing to the next level," Marc Gaffan, director of product marketing for RSA's identity and access assurance group, told "They're using their very elusive techniques to not only trick people into clicking on links, but also infecting them with a sophisticated trojan that collects information on an ongoing basis and sends it to the gang."

Gaffan said that the Rock Phish gang is responsible for 50 percent of all current phishing scams.

He said 30,000 to 40,000 phishing-related websites go up every month, so even if the click-through rate [on phishing emails] is low, with one or two people clicking, tens of thousands of people could become victims.

The Rock Phish gang is unlike a significant portion of the cybercriminals operating today because it is a closed gang operating in Russia, Gaffan said. Most groups of cybercriminals, on the other hand, participate in a broad economic system in which credit cards are bought and sold openly, he said.

The Rock Phish gang also writes its own code, launches its own attacks, and is efficient from a logistical perspective, Gaffan added.

"Its biggest fame is its ability to scale and execute thousands of phishing attacks with as little infrastructure as possible, thus making it as hard as possible to shut [them] down," Gaffan said.

Gaffan said that RSA's Anti-Trojan Service works to stop phishing attacks by shutting down both the command centers, which control phishing attacks, and the so-called drop zones, which are email accounts or websites where victims' stolen personal information is stored. These measures make the trojan worthless by eliminating its ability to update itself or transmit the stolen personal information to the perpetrators, he added.

Gaffan suggested that traditional safe computing practices are the best way to avoid becoming a victim.

"That means always having a personal firewall and updated anti-virus software and make sure you don't click on links in emails from people you don't trust,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.