The discovery illustrates a series of attacks from the Rock Phish group, which is a gang reportedly based in Russia that has been targeting financial institutions since 2004.

Among RSA’s key findings:

• Rock Phish attacks account for 50 percent of phishing incidents and have stolen “tens of millions of dollars” from bank accounts.
• This is the first time crimeware has been used in a Rock Phish attack.
• Victims of these phishing attacks get their personal data stolen and are infected by the Zeus Trojan. Double the pain for victims.

RSA’s Uriel Maimon said in a blog post:

The Rock Phish group is a phishing gang believed to be based out of Russia — and, by some accounts, is responsible for roughly 50% of phishing attacks by volume. The Rock gang has also pioneered several new approaches in phishing: in 2004 it was the first (and, for a long time, they were the only) gang to employ bot-nets in its phishing infrastructure in order to make the attacks live longer and be more scalable. It also pioneered new techniques in its spam mails so the mail could more easily evade spam filters.

Within the past few weeks there has been a new advance — the inclusion of identity theft malware (or Crimeware) into the Rock group’s phishing attacks. I have written before about the problems this type of malware poses, but coupled with the robust infrastructure the Rock group has at its disposal, this is more than double the trouble.

In general, the latest Rock Phish attack includes the following:

• Victim is duped into going to a phishing site;
• Victim is infected with the Zeus Trojan even if he or she doesn’t submit information;
• Zeus is masked;
• The Zeus Trojan can take screen shots, control a machine and steal passwords so even if you don’t fork over information initially the malware will get it.

Source: zdnet, RSA