Wall Street & Technology: Blog: New Phishing Threat Discovered

New Phishing Threat Discovered

Cory Levine, Wall Street & Technology

The cat-and-mouse continues, as researchers yesterday uncovered a new phishing technique being shared in the fraud community, which will enable criminals to bypass multi-factor authentication technologies. Analysts in the 24x7 Anti-Fraud Command Center operated by RSA discovered what they are calling the Universal Man-in-the-Middle Phishing Kit being sold in online forums. After analyzing a demo version of the kit, RSA concluded that this new user-friendly flavor of phishing could become big in the next 12 to 18 months.

Using the kit, fraudsters can easily create a fraudulent URL that communicates with the legitimate Web presence of the targeted organization, be it a financial institution or otherwise. In doing so, when victims clicks on the URL provided in the phishing e-mail, they then interact with the legitimate Web site via the fraudulent URL.

The difference between this type of attack and previous phishing techniques is that in prior attacks, typically victims were only asked to provide login or card-related credentials, which were then recorded by fraudsters. With the new phishing kit, because users are interacting with a legitimate Web site, victims have the ability to log on and perform any type of transaction they wish. All the while, criminals are intercepting this activity as well as any further credentials provided by the victim, culling sensitive information in real time, allowing criminals to wait for users to authenticate themselves using multi-factor techniques.

The phishing threat, in order to stay effective in the wake of industrywide multi-factor authentication implementation, needed to morph into a tactic with closer alignment to the legitimate target. The exposure of the phishing threat in media and through customer education efforts by companies through 2006 was damaging to the efforts of fraudsters. Further blurring the line between the threat and the actual business was the only way phishing could remain relevant as consumers caught on to the hoax. Security professionals need to begin disseminating this information to customers immediately and reinforce their policies and procedures for online solicitation before this new mutation of the phishing threat has material consequences.

Posted by Cory Levine at 11:51 AM

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.