11:51 AM
New Phishing Threat Discovered
Cory Levine, Wall Street & Technology
The cat-and-mouse continues, as researchers yesterday uncovered a new phishing technique being shared in the fraud community, which will enable criminals to bypass multi-factor authentication technologies. Analysts in the 24x7 Anti-Fraud Command Center operated by RSA discovered what they are calling the Universal Man-in-the-Middle Phishing Kit being sold in online forums. After analyzing a demo version of the kit, RSA concluded that this new user-friendly flavor of phishing could become big in the next 12 to 18 months.Using the kit, fraudsters can easily create a fraudulent URL that communicates with the legitimate Web presence of the targeted organization, be it a financial institution or otherwise. In doing so, when victims clicks on the URL provided in the phishing e-mail, they then interact with the legitimate Web site via the fraudulent URL.
The difference between this type of attack and previous phishing techniques is that in prior attacks, typically victims were only asked to provide login or card-related credentials, which were then recorded by fraudsters. With the new phishing kit, because users are interacting with a legitimate Web site, victims have the ability to log on and perform any type of transaction they wish. All the while, criminals are intercepting this activity as well as any further credentials provided by the victim, culling sensitive information in real time, allowing criminals to wait for users to authenticate themselves using multi-factor techniques.
The phishing threat, in order to stay effective in the wake of industrywide multi-factor authentication implementation, needed to morph into a tactic with closer alignment to the legitimate target. The exposure of the phishing threat in media and through customer education efforts by companies through 2006 was damaging to the efforts of fraudsters. Further blurring the line between the threat and the actual business was the only way phishing could remain relevant as consumers caught on to the hoax. Security professionals need to begin disseminating this information to customers immediately and reinforce their policies and procedures for online solicitation before this new mutation of the phishing threat has material consequences.