Universal phishing kit makes work easy for criminals
According to a report by RSA, a vendor of security products for authentication in networks, among other things, a new phishing kit helps criminals develop automatic attacks on users to steal login data, PINs, and TANs. RSA's Anti-Fraud Command Center (AFCC) claims to have found a universal man in the middle phishing kit that is already being used and sold on the internet for criminal purposes. Among other things, the AFCC uses RSA's industry-wide eFraudNetwork to detect attacks.
The new kit reportedly allows for more sophisticated phishing attacks than ever before. While victims still communicate with a legitimate website, they do so via a forged one operated by criminals, with the packets basically forwarded to the real website as though a proxy server were in-between. The RWTH Aachen first demonstrated such attacks in August of 2005.
The security experts at RSA have analysed a demonstration of the kit that they received as a free test version through an online forum. RSA says that attackers could use the kit to generate a fraudulent website from a simple, user-friendly online interface. This website then basically acts as a middleman to intercept communication between the user and the genuine website of the company being attacked in real time. The victim receives a phishing e-mail that redirects to the fraudulent URL. Both the criminals and the bank receive all of the data that the victim enters.
This attack is even successful on the new iTAN procedure that a number of banks are now using. When the victim logs on to the website assumed to be genuine with a PIN, the phishing website does the actual login with the bank in real time. If the victim now wants to transfer money, the fraudulent website does the same at the victim's bank. But the victim does not receive a query for an iTAN from the bank because the phishing website has intercepted the query. As the phishing website does not know the iTAN, it has to fake the query from the bank to the victim. Under the assumption that this query is for the money transfer, the victim then enters the requested iTAN in the phishing website, which can then transfer the money the way it wants.
A similar man-in-the-middle attack has also already beaten two-factor authentication based on a security token designed to prevent phishing; RSA offers such in its own SecurID.