Phishing toolkit reels in content, punters

RSA Security has discovered a phishing toolkit for sale online designed to post legitimate and actual content on a fraudulent URL in real time.

The "Universal Man-in-the-Middle Phishing Kit" works via sending the intended victim a regular dodgy phishing e-mail. After clicking on the link enclosed, the victim is presented with actual content from the Web site.

According to RSA Security's Anti-Fraud Command Center, the toolkit can be easily configured for multiple targets, configured to import pages from any target organization and intercept any credentials even after a victim has logged into an online account.

The toolkit was being offered for free trial on an online "fraudster forum" on January 10.

Marc Gaffan, RSA consumer solutions marketing director, said such styles of phishing attacks are a new wave in scamming and will become more prevalent over the next year.

"While these types of attacks are still considered next generation, we expect them to become more widespread over the course of the next 12-18 months," Gaffan said.

Joel Camissar, Websense Australian country manager, said the difficulty with this type of phishing attack is that it is designed to be posted behind a legitimate and actual URL.

Camissar said if a user was vigilant they would still be able to tell the Web site they are visiting is not legitimate, however this type of phishing technique is not new.

"We first saw "Rock Phishing" kits sold for around $20 or $30 online," Camissar said.

"The difficulty with this type of attack is that it is designed to put a fraudulent site behind a legitimate URL and the customer or user if not vigilant could see it is not the original or intended site because hackers these days can just change or add one character to the URL which even a diligent user may not recognize.

"A trend we are seeing is a slight decline in the more 'traditional' methods of hacking to spoofing telephone numbers and routing calls to pre-recorded information asking people to divulge account numbers and passwords ... We saw this becoming common in the middle of last year with a lot of small US-based credit unions targeted."

Paul Ducklin, Sophos Asia Pacific head of technology, said he first heard about real-world URL-based man-in-the-middle attacks during the Virus Bulletin 2006 conference held in Montreal.

Ducklin said it is unknown whether the phishing toolkit discovered by RSA fetches and relays current Web content to mimic the site does more sophisticated stuff like subverting token-based logons through acquiring and reusing one-time token data in real time.