[ISN] New tool enables sophisticated phishing scams

From: InfoSec News (alerts@private)
Date: Wed Jan 10 2007 - 22:35:22 PST


By Joris Evers
Staff Writer, CNET News.com
January 10, 2007

Security experts at RSA have come across a new tool that automatically 
creates sophisticated phishing sites, a sign that cybercrooks are 
getting increasingly professional.

The tool, which RSA calls the "Universal Man-in-the-Middle Phishing 
Kit," is available on underground online marketplaces for about $1,000, 
Jens Hinrichsen, RSA's product marketing manager for fraud auction, said 
in an interview Wednesday.

"Unlike other phishing kits which have been in existence for quite some 
time, this kit is unique because with a very simple user interface you 
can choose whatever site you'd like to spoof," Hinrichsen said. "The 
arms race continues; we on the security side have to continue to 
escalate resources and invest in technology."

Phishing scams are a prevalent online threat that typically use 
fraudulent Web pages and spammed e-mail messages to trick people into 
giving up personal information such as user credentials or credit card 

Using the new kit, a fraudster only has to enter variables such as which 
site should be spoofed and where the fraudulent page will be hosted. The 
tool then produces a dynamic Web page in the PHP (hypertext 
preprocessor) scripting language. The fraudster hosts this page 
somewhere on the Web, typically on a compromised Web server or a free 
Web host, and lures people to it with spammed e-mail messages or other 

Unlike traditional phishing Web sites that have static Web pages 
designed to look like a real online bank or other trusted site, the 
dynamic page created by the phishing kit actually pulls in the current 
Web site of the target organization and displays it. However, any data 
entered is captured by the miscreants, Hinrichsen said.

"Once you enter your credentials, it would be intercepted by that server 
where the PHP file is hosted," he said. At the same time, the victim is 
actually logged in to the legitimate site and may never know he's been 

Shrewd phishers monitor the log-in process to validate that the data 
they capture is legitimate, Hinrichsen said. An incorrect username and 
password combination would be discarded. Also, the 
man-in-the-middle-style attack lets the miscreants continue to eavesdrop 
on the victim's interactions with the legitimate Web site, according to 

The most popular phishing targets are banks and online payment services 
such as PayPal. Auctioneer eBay is also a common target. Fraudsters run 
phishing scams to collect personal information that can be used for 
identity fraud.

Phishing protection is becoming common. The latest versions of Firefox 
and Internet Explorer include phishing shields. Also, security firms 
such as Symantec and McAfee sell antiphishing software.

Protection technologies typically rely on a list of known bad Web sites 
and display a warning when a user surfs to one of those. This means, 
however, that a brand-new fraudulent site won't be detected. In general, 
people should be cautious when following links to any site that requires 
a log in. It is better to type in the address or use a bookmark.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 10 2007 - 22:46:40 PST