January 10, 2007 11:47 AM PST

New tool enables sophisticated phishing scams

Security experts at RSA have come across a new tool that automatically creates sophisticated phishing sites, a sign that cybercrooks are getting increasingly professional.

The tool, which RSA calls the "Universal Man-in-the-Middle Phishing Kit," is available on underground online marketplaces for about $1,000, Jens Hinrichsen, RSA's product marketing manager for fraud auction, said in an interview Wednesday.

"Unlike other phishing kits which have been in existence for quite some time, this kit is unique because with a very simple user interface you can choose whatever site you'd like to spoof," Hinrichsen said. "The arms race continues; we on the security side have to continue to escalate resources and invest in technology."

Phishing scams are a prevalent online threat that typically use fraudulent Web pages and spammed e-mail messages to trick people into giving up personal information such as user credentials or credit card data.

Using the new kit, a fraudster only has to enter variables such as which site should be spoofed and where the fraudulent page will be hosted. The tool then produces a dynamic Web page in the PHP (hypertext preprocessor) scripting language. The fraudster hosts this page somewhere on the Web, typically on a compromised Web server or a free Web host, and lures people to it with spammed e-mail messages or other links.

Unlike traditional phishing Web sites that have static Web pages designed to look like a real online bank or other trusted site, the dynamic page created by the phishing kit actually pulls in the current Web site of the target organization and displays it. However, any data entered is captured by the miscreants, Hinrichsen said.

"Once you enter your credentials, it would be intercepted by that server where the PHP file is hosted," he said. At the same time, the victim is actually logged in to the legitimate site and may never know he's been phished.

Shrewd phishers monitor the log-in process to validate that the data they capture is legitimate, Hinrichsen said. An incorrect username and password combination would be discarded. Also, the man-in-the-middle-style attack lets the miscreants continue to eavesdrop on the victim's interactions with the legitimate Web site, according to RSA.

The most popular phishing targets are banks and online payment services such as PayPal. Auctioneer eBay is also a common target. Fraudsters run phishing scams to collect personal information that can be used for identity fraud.

Phishing protection is becoming common. The latest versions of Firefox and Internet Explorer include phishing shields. Also, security firms such as Symantec and McAfee sell antiphishing software.

Protection technologies typically rely on a list of known bad Web sites and display a warning when a user surfs to one of those. This means, however, that a brand-new fraudulent site won't be detected. In general, people should be cautious when following links to any site that requires a log in. It is better to type in the address or use a bookmark.

See more CNET content tagged:
phishing, RSA Security Inc., fraudster, phishing Web site, target

3 comments

Join the conversation!
Add your comment
which user agent?
It would be interesting to know which user agent string is used by
PHP in this phishing script.

Webmasters could block access to their sites if the user agent is
something like "PHP Curl" or "libcurl" or something else and not
coming from a trusted server.
Posted by joebuff75 (35 comments )
Reply Link Flag
Any agent the phisher likes
User-agent is basically a text header sent over the http and therefore you can make your agent appear anything you like even IE 7.0 if you choose
Posted by mlehiste (9 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.