• United States



by Dave Gradijan

Phishing Toolkit Uses Man-in-the-Middle Attack

Jan 16, 20073 mins
CSO and CISOData and Information Security

RSA Security has discovered a phishing toolkit for sale online designed to post legitimate and actual content on a fraudulent URL in real-time.

The “Universal Man-in-the-Middle Phishing Kit” works via sending the intended victim a regular dodgy phishing e-mail. After clicking on the link enclosed, the victim is presented with actual content from the website.

According to RSA Security’s Anti-Fraud Command Center, the toolkit can be easily configured for multiple targets, configured to import pages from any target organization and intercept any credentials even after a victim has logged into an online account.

The toolkit was being offered for free trial on an online “fraudster forum” on Jan. 10.

Marc Gaffan, RSA consumer solutions marketing director, said such styles of phishing attacks are a new wave in scamming and will become more prevalent over the next year.

“While these types of attacks are still considered next generation, we expect them to become more widespread over the course of the next 12 to 18 months,” Gaffan said.

Joel Camissar, Websense Australian country manager, said the difficulty with this type of phishing attack is that it is designed to be posted behind a legitimate and actual URL.

Camissar said a vigilant user would still be able to tell the website he is visiting is not legitimate, but this type of phishing technique is not new.

“We first saw ‘Rock Phishing’ kits sold for around $20 or $30 online,” Camissar said.

“The difficulty with this type of attack is that it is designed to put a fraudulent site behind a legitimate URL, and the customer or user, if not vigilant, could [not] see it is not the original or intended site because hackers these days can just change or add one character to the URL, which even a diligent user may not recognize.

“A trend we are seeing is a slight decline in the more ‘traditional’ methods of hacking to spoofing telephone numbers and routing calls to pre-recorded information asking people to divulge account numbers and passwords. … We saw this becoming common in the middle of last year with a lot of small U.S.-based credit unions targeted.”

Paul Ducklin, Sophos Asia Pacific head of technology, said he first heard about real-world, URL-based man-in-the-middle attacks during the Virus Bulletin 2006 conference held in Montreal.

Ducklin said it is unknown whether the phishing toolkit discovered by RSA that fetches and relays current Web content to mimic the site does more sophisticated stuff like subverting token-based log-ons through acquiring and reusing one-time token data in real-time.

-Michael Crawford, Computerworld Australia