Australia, NZ amongst worst for online brand attacks

Peter Dinham
Wednesday, 28 October 2009 08:48

Business IT - Security

Australia continues to rank as one of the top ten countries worldwide to suffer online brand attacks, and while Colombia and France have dropped off the chart completely, New Zealand and Brazil have entered the list for the first time, according to a new report on worldwide fraud released today.

According to RSA’s online fraud report for October, despite the rise in the total number of brand attacks launched in September, and an increase in the number of brands targeted last month, phishers generally continue to attack brands in the same countries, namely Australia, the US, the UK, Canada, Italy, Spain and South Africa.


Also reported by RSA was the fact that financial institutions in Australia, Asia and Latin America are increasingly deploying two-factor authentication for their online banking users and, as a result, have experienced an increasing number of ‘man-in-the-browser’ (MITB) attacks.

RSA reports that it has witnessed a surge in the number of MITB attacks, “especially in geographies where two-factor authentication is densely deployed --- such as the European consumer banking and US corporate banking markets.”

The security firm says a man-in-the-browser attack is designed to intercept and manipulate data as it passes over a secure communication between a user and an online application, and that a Trojan embeds in a user’s browser application and can be programmed to trigger when a user accesses specific online sites, such as an online banking site.

According to RSA, a number of Trojan families are currently being used by fraudsters to conduct MITB attacks including Zeus, Adrenaline, Sinowal, and Silent Banker, and it says some MITB Trojans are so advanced that they have “streamlined the process for committing fraud, programmed with functionality to fully automate the process from infection to cashout.”

RSA warns that what makes MITB attacks difficult to detect from the bank’s server side is that any activity performed “seems as though it is originating from the legitimate user’s web browser.”

“Characteristics such as the Windows language, user agent string, and the IP address will appear the same as the user’s real data. This creates a challenge in distinguishing between genuine and malicious transactions.”

RSA also says that man-in-the-browser as an attack vector has experienced exponential growth in the rate of infection in the last year, and it has witnessed Trojan infections increase tenfold in the last twelve months – findings which it says that are supported by other industry observations and reports.

“This growth is driven in part by the number of ‘drive by download’ infections where vulnerabilities on legitimate websites are exploited by botnets and infection kits to place an iFrame in the breached site,” RSA says.