Recently, an attack called ‘Royal Ripper Multi-Stage Phishing Attack’ targeting financial institutions and their customers by acting as a government agency or telecom has been on the agenda. The attack is named after the hacker called Royal Ripper, who is responsible for the attack. The hacker starts by capturing the personal information and bank code of the target person. After obtaining the bank code, it uses this information to redirect its target to a second phishing site that appears to be the bank’s site. In this way, he gets the personal information his target uses on the online banking site.
How Did the Royal Ripper Multi-Stage Phishing Attack Happen?
- The attack began when the hacker named Royal Ripper tried to deceive his target by pretending to be a government agency, telecommunications company, or online payment service. For example, the hacker sent a tax return notice to its target in the first step of the attack.
- In the message, he wrote his targets that they had to pay money. And that they could complete the transaction by clicking the link in the message.
- The link opened a phishing page, and he asked his targets to enter their full name and postal code to log in.
- He asked his targets to enter their credit card information and bank sort code (or routing number) on the second page. With this information, the hacker identified the target’s bank and directed the target to another phishing page that looked exactly like the bank’s site.
- Finally, on this site, he asked his targets to enter their account number and password.
How did the Hacker Store the Information from the Royal Ripper Multi-Stage Phishing Attack?
There was a separate directory listing for each phishing link. There were separate sorting codes for each bank. The hacker stored them in .txt files located in the /codes/ directory. He stored the credentials he steals from the targets in the /assets/logs/ directory. Banks.txt file was used to store the bank information obtained from a phishing attack, while in the fullz.txt file, he stored the personal information obtained from previous stages. The hacker also logged the IP addresses of everyone who accessed the site and any blocked visit attempts.
While the bank itself is often imitated in banking-related attacks, the hacker used a multi-stage system in this attack. With a multi-stage system, Royal Ripper was able to capture credentials in a single attack without drawing too much attention. This less suspicious Royal Ripper multi-stage phishing attack seems to have plagued many companies.
How to Avoid Attacks Similar to the Royal Ripper Multi-Stage Phishing Attack?
1. Minimize the risks using incident response tools.
In this dangerous environment, you should be able to detect the users affected by malicious email attacks. This way, you can take preventive steps. Our Incident Response tool enables users to report malicious emails immediately. The tool sends us the email, and then we review the template, text, and dangerous links. Emails you sent to us using our Incident Response tool are analyzed carefully. Next, with advanced anti-phishing tools, we test the template for unusual identification with a known site. And we check for fraudulent behavior. Then, we test the body with ai technology to see if the URL is credible. We check if there is any malicious content in the email and examine its structure. We use virus protection tools, anti-malware sandbox technology, and anti-exploit technology to provide you full protection.
2. Raise awareness by using cyber threat intelligence tools.
Our Cyber Threat Intelligence Tool searches the internet, looking for signs and information that can indicate a violation of your personal security and a danger to your company. The level of control given to you by our Cyber Threat Intelligence tool shortens the time from probable cyber attack to protective steps, minimizing the risk of malicious behavior. The tool constantly examines popular ransomware attacks and dangerous sites to find any personal documents, bank account numbers, private information, addresses, passcodes, IP addresses, and data directly linked to your property rights. We track and inform you the second we detect information about recent attacks, reports, spam links, ransomware, or phishing attempts. This way, we make you informed about crime patterns and techniques.
Protect yourself using our anti-phishing solutions against these common attacks.
“This post is originally published at www.phishing.org.uk”