RSA Discovers New Universal Man-in-the-Middle Phishing Kit

New kit helps fraudsters easily launch increasingly-sophisticated and automated online fraud attacks

BEDFORD, Mass., Jan. 10 ( -- RSA, The Security Division of EMC, (NYSE: EMC - News) announced today that its 24x7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters.

This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims' personal information in real-time.

RSA's analysts researched and analyzed a demo of the kit that was being offered as a free trial on one of the online fraudster forums that the AFCC monitors regularly.

How it works

Using the Universal Man-in-the-Middle Phishing Kit, the fraudster creates a fraudulent URL via a simple and user-friendly online interface. This URL communicates with the legitimate website of the targeted organization in real- time - whether it is the online banking site of a financial institution, the order tunnel of an ecommerce company, or any other such business transacting with its users online. The victim receives a "standard" phishing email, and when clicking on the link s/he is directed to the fraudulent URL. The victim then interacts with genuine content from the legitimate website - which has been "imported" by the attack into the phishing URL - thus allowing the fraudster seamless, invisible and immediate access to the victim's personal information.

Fraudster benefits

RSA's analysts have identified two primary benefits that fraudsters using this kit are set to reap:

1. It is a "universal" phishing kit, meaning it can easily be configured
per target. Fraudsters who want to initiate a phishing attack do not
have to purchase or prepare a custom phishing kit for each target. Once
they acquire and operate this kit, the attack can be configured to
"import" pages from any target website.

2. Unlike standard phishing attacks, which only collect specific requested
data (typically login and card-related credentials), this attack is
designed to intercept any type of credentials submitted to the site
after the victim has logged into his account as well.

Detection and mitigation efforts
The RSA 24x7 Anti-Fraud Command Center handles this attack in a similar fashion to the way it deals with "standard" phishing attacks - relying on a broad monitoring and detection network, its broad blocking network, as well as industry-leading experience in site shutdown - as it does for more than 150 customers of its FraudAction(SM) anti-phishing, anti-pharming service. And, uniquely, RSA can further identify, analyze and mitigate this specific type of attack via the RSA eFraudNetwork(SM) community - the company's cross- institution anti-fraud network - by leveraging sophisticated analytics in the RSA