The new kit, which RSA has dubbed "Universal Man-in-the-Middle Phishing Kit," sells for about $1,000 on various hacker sites, says RSA executive Marc Gaffan. That price is high relative to other fraudster kits -- software tools that automate part or all of a phishing attack setup and execution -- but the payoff to criminals is huge.
"What's unique about this kit is that it changes the rules of the game," says Gaffan. "It offers a much better return on investment. It can be used to create attacks against multiple targets, such as several banks, simultaneously, without any code changes or technical expertise. A hacker could employ it against dozens of targets."
In comparison, most other phishing kits sell for up to $200 each and let users construct attacks against just one specific financial organization.
But the price -- or even its ease of use -- isn't the only threat that the new man-in-the-middle kit poses to banks and their customers, claims Gaffan. Its technology, he says, also ups the ante in the fraud game.
"It completely mirrors the legitimate Web site, acting like a proxy," says Gaffan. "All the links on the page are active, and it's able to eavesdrop on all communication between consumers and the institution. That gives [phishers] access to significantly more information than kits that simply log keystrokes or watch for account numbers and passwords."
All the kit-using criminal has to do is register a phony domain name, then plug that and the URL of the real Web site into the software's administrative control panel. The kit then communicates in real time with the target IP address and uses a proxy to redirect content from the legitimate site to the bogus URL; thus the user interacts with actual content from, say, his own bank, adding to the deception. The fake URL squats between the consumer and the target -- that's where the "man-in-the-middle" phrase comes from -- and captures all data from user to bank or bank to user.
Because the content looks -- and is -- legitimate, Gaffan expects it will be much harder for users to detect the fraud. That in turn means that it will take longer for some anti-phishing systems -- notably those dependent on users' suspicions and submissions that result in updated site blacklists -- to wise up to an ongoing attack. A matter of just a few more minutes or hours can be a boon to phishers, who already are equipped to quickly close down a detected attack and move on to a new one.
"This will take longer to detect, which means it will take more time for the attack to be identified," says Gaffan. "The longer it all takes, the longer it takes to distribute a new blacklist."
The kit's comprehensive data capture is also disturbing, says Gaffan. New security provisions by financial institutions, such as images displayed to users to indicate that they're dealing with the real site, could be easily compromised.
So far, RSA has detected only about a dozen attacks launched with the new kit. But Gaffan expects that to climb, and quickly. "This is fairly new, out just a couple of weeks. But we expect the news to get around, and we're seeing a lot of talk in the hacker underground. There's a good chance that this will take off."
If it does, it will be because fraudsters see it as a major improvement and a great deal. "I think this [$1,000] kit is underpriced," says Gaffan. "It's alarming, actually, and a great value. This could become a big thing."