RSA has investigated this new type of crime kit based on "black hat whitelists"
EMC’s RSA has uncovered a new type of phishing kit which allows cybercriminals to ensure that only certain users can access their phishing websites. Because only users that are on “the list” can access the site, the crime kit has been dubbed “bouncer.”The bouncer phishing kit relies on a preset list of emails. A unique URL, representing a user ID value, is sent out to each of the recipients.
When someone that’s not on the list attempts to access the phishing page, they’re redirected to a “404 page not found” webpage.
Some older phishing kits employ similar techniques, but they restrict access based on IP addresses, while the bouncer is actually a black hat whitelist.
“When victims access the phishing link, their name has to be on the list and their ‘ID’ value is verified on-the-fly as soon as they attempt to browse to the URL. After a scan of the ‘bouncer list’, unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for,” RSA’s Limor Kessem explains.
Users who are allowed to access the site are presented with an attack page that’s generated by the kit. Their credentials are sent to a different hijacked website.
“Another thing that makes this different is that traditional phishers like to cast as wide of a net as possible, but with this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt take-downs of such attacks,” Kessem added.
The campaigns analyzed by RSA targeted, in average, 3,000 recipients. The targets appeared to be webmail users, corporate email recipients and even bank employees.
Experts warn that these types of kits can be successfully used in spear phishing campaigns.