Software // Enterprise Applications
News
1/12/2007
03:34 PM
Connect Directly
RSS
E-Mail
50%
50%

New Phishing Toolkit Poses Danger To Consumers

The new kit sells for about $1,000 on various hacker sites and makes it easy to create attacks against multiple targets such as banks.

RSA, the security arm of EMC, said that it's spotted a new and much more dangerous phishing toolkit that makes online fraud a point-and-click snap, and bodes ill for consumers during 2007.

The new kit, which RSA has dubbed "Universal Man-in-the-Middle Phishing Kit," sells for about $1,000 on various hacker sites, says RSA executive Marc Gaffan. That price is high relative to other fraudster kits -- software tools that automate part or all of a phishing attack setup and execution -- but the payoff to criminals is huge.

"What's unique about this kit is that it changes the rules of the game," says Gaffan. "It offers a much better return on investment. It can be used to create attacks against multiple targets, such as several banks, simultaneously, without any code changes or technical expertise. A hacker could employ it against dozens of targets."

In comparison, most other phishing kits sell for up to $200 each and let users construct attacks against just one specific financial organization.

But the price -- or even its ease of use -- isn't the only threat that the new man-in-the-middle kit poses to banks and their customers, claims Gaffan. Its technology, he says, also ups the ante in the fraud game.

"It completely mirrors the legitimate Web site, acting like a proxy," says Gaffan. "All the links on the page are active, and it's able to eavesdrop on all communication between consumers and the institution. That gives [phishers] access to significantly more information than kits that simply log keystrokes or watch for account numbers and passwords."

All the kit-using criminal has to do is register a phony domain name, then plug that and the URL of the real Web site into the software's administrative control panel. The kit then communicates in real time with the target IP address and uses a proxy to redirect content from the legitimate site to the bogus URL; thus the user interacts with actual content from, say, his own bank, adding to the deception. The fake URL squats between the consumer and the target -- that's where the "man-in-the-middle" phrase comes from -- and captures all data from user to bank or bank to user.

Because the content looks -- and is -- legitimate, Gaffan expects it will be much harder for users to detect the fraud. That in turn means that it will take longer for some anti-phishing systems -- notably those dependent on users' suspicions and submissions that result in updated site blacklists -- to wise up to an ongoing attack. A matter of just a few more minutes or hours can be a boon to phishers, who already are equipped to quickly close down a detected attack and move on to a new one.

"This will take longer to detect, which means it will take more time for the attack to be identified," says Gaffan. "The longer it all takes, the longer it takes to distribute a new blacklist."

The kit's comprehensive data capture is also disturbing, says Gaffan. New security provisions by financial institutions, such as images displayed to users to indicate that they're dealing with the real site, could be easily compromised.

So far, RSA has detected only about a dozen attacks launched with the new kit. But Gaffan expects that to climb, and quickly. "This is fairly new, out just a couple of weeks. But we expect the news to get around, and we're seeing a lot of talk in the hacker underground. There's a good chance that this will take off."

If it does, it will be because fraudsters see it as a major improvement and a great deal. "I think this [$1,000] kit is underpriced," says Gaffan. "It's alarming, actually, and a great value. This could become a big thing."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.