Network News

X My Profile
View More Activity

Great Strides in Phishing

Earlier this month, Security Fix called attention to a phishing scam where bad guys were making use of the real Amazon.com Web site to trick people into entering personal information at a fake Amazon site they created.

Now, according to fraud investigators at RSA Security Inc., comes the release of a simple, point-and-click tool for sale in the hacker underground that is designed to help criminals automate the construction of more scam sites employing this same, sophisticated approach.

What made the Amazon phishing site that I wrote about so unusual was that it relied on a so-called man-in-the-middle attack, in which the fraudsters' fake site passes victim-supplied login credentials to the targeted institution's site on the user's behalf. The data passed to the legitimate site is stored or e-mailed to some free Webmail account set up by the fraudsters, and the victim is then typically handed off to the targeted institution's site.

This is a tactic used to make the fraudulent site appear more authentic: I've heard far too many people say they can tell whether a site is legit or not simply by entering completely made up or gibberish user names and passwords at a suspected phishing site. The reasoning here: "If this site is fake, it will accept my bogus login information, but if it tells me that the account information doesn't exist or is incorrect, then it must be the real thing." Obviously, the man-in-the-middle phishing method shows the folly of that line of thinking.

The phishing automation tool discovered by RSA is installable software that automates the creation of man-in-the-middle attacks so that any novice can set them up, and do so quickly. Using this tool, a criminal no longer has to buy or create custom phishing kits for a targeted organization. Also, the scam artist can intercept any data that is sent back and forth between the customer and the institution for as long as the victim is logged into his or her account.

I checked with a couple of reliable sources, and they said this simple software tool is indeed being sold on various shadowy online forums, apparently under the unassuming title "scams and fakes creation tool." It is being sold for about $1,000, a hefty price -- roughly five to ten times the amount that most phishing kits fetch on the Internet black market. However, the inflated price makes sense if you consider that the kit offers the ability to create more effective and convincing phishing sites targeting multiple institutions in a very short period of time, said Marc Gaffan, director of marketing at RSA's consumer division.

"This thing absolutely increases the scalability [of phishing attacks] and the vulnerability of smaller companies, particularly non-financial institutions [and] retail institutions that are more gearing toward credit card fraud," Gaffan said.

As of last Tuesday, Gaffan said RSA had spotted fewer than a dozen sites generated by the new tool. Still, scammers are always looking for greater automation tools. Given some of the sophistication that is being built into online fraud tools these days, it's probably safe to assume that we will see this type of phishing attack become the norm very soon.

By Brian Krebs  |  January 17, 2007; 1:15 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Do Away With HTML Based E-mail
Next: Critical Microsoft & Mozilla Patches for 2006

Comments

So what do you recommend to people like my 85 year-old mother to avoid falling for this scam?

I accidentally made it more difficult for my wife by (somehow) making it impossible for her to click on hyperlinks in her Thunderbird email client.

Posted by: Mike Wyman | January 17, 2007 1:52 PM | Report abuse

I fell victim to the most recent Amazon phishing scheme mentioned above, but recognized the fact immediately and was able to take quick action to prevent any permanent damage. Even though I'm relatively internet savvy (everyone in my generation is I suppose since we're the ones who grew up with the web), I was still taken in because I wasn't paying attention.

Posted by: 215 | January 17, 2007 3:06 PM | Report abuse

I really hate using Amazon just because they get targeted so much. In fact, even though I buy on the web, I usually call the company I order from to actually purchase the items I want. And I generally refuse to give any contact information other than address and phone. You would think some big retailers would want to join in the fray and combine with an organization like RSA or similar and try to protect its customers.

We know the "fraudsters" won't go away anytime soon. So the burden falls to customers, who hope for saving graces from organizations such as RSA.

Posted by: umm.huh | January 17, 2007 3:35 PM | Report abuse

The previous posts make two great points to defend against phishing:

NEVER click on hyperlinks in e-mail!

Pay attention!

Just like physical security, be aware of your surroundings. Educate yourself on the dangers out there.

Just because the computer is in the comforts of your home or business, does not mean it poses no dangers!

Posted by: TJ | January 17, 2007 3:41 PM | Report abuse

An awesome company that poses a real danger to phishing is Voltage Security. They are a leader in data privacy, and invented IBE (Identity-Based Encryption). Great products for enterprise. Check them out.

Posted by: JimmyJackFunk21 | January 17, 2007 4:53 PM | Report abuse

Wouldn't the site cert be a weakness? It strikes me that your MITM would not have a valid SSL cert, or at least not one valid for Amazon, so you should be able to check the cert exists and is valid. Or am I missing something?

Posted by: Dbh | January 17, 2007 11:28 PM | Report abuse

The reason why the scam/phishing worked is because on the Amazon site users are asked to give their credentials on a non-SSL/protected page. The same approach is followed by Hotmail and many others. So what should people do? My strong advice is to do try with bogus credentials when we are presented with an unprotected login page. Why? because in most cases (and it is the case for the Amazon and hotmail site) the error message thrown back by the server is through an SSL page, which also asks you to re-enter your credentials. This time though, you can be (more) sure that you are giving your credentials to a trusted (through the digital certificate) website. So, using bogus credentials does help, BUT only if the returned error page is served through SSL and it allows you to eneter your credentials through that.

Posted by: Al Graziano | January 18, 2007 2:45 AM | Report abuse

Ah, jeez, so that "why is this safe" thing is crap...but eventually in amazon you DO get to ssl pages after logging in (at least if you check out or do account maintenance) but I suppose if the MITM doesn't secure the link to the vic then he probably wouldn't notice...

Posted by: DBH | January 18, 2007 9:07 AM | Report abuse

Note, EV Certs wouldn't fix this either. Maybe an Entrust logo next to the logon that compares the URL you are actually connected to and the URL of the Cert. Or better that function could be built into browsers...

Posted by: DBH | January 18, 2007 9:20 AM | Report abuse

what needs to happen is that sites like amazon need the page you log in from to be encrypted with SSL in addition to the page you log in to

Posted by: william | January 18, 2007 11:00 AM | Report abuse

I ordered a book from Amazon one day and the next received an official looking document from supposedly Amazon stating that I would have to re-enter my order as the bank wouldn't issue payment. The reason they gave was that the info I filled out didn't jibe with their id for me. If I didn't respond within three days they would have to cancel my order. I didn't respond and within the week my order was filled. Looked like an inside job to me.

Posted by: Eli | January 18, 2007 3:49 PM | Report abuse

SSL logon page doesn't actually solve the problem, if people aren't paying attention to the 'lock' icon. It would be the same as people not paying attention to the real URL that they are connected to...

The EV Cert would be different if logon was secured too, in that the bar wouldn't be green, but again people would have to be paying attention.

Unfortunately, the SSL warning on domain mismatch also gets ignored because it isn't clear whats to be done or how to verify or test mismatched certs...

Posted by: DBH | January 18, 2007 8:47 PM | Report abuse

Of all the tools and technology available, the best is still the human mind!

Unfortunately, with the dumbing down of the population, these types of issues will continue to grow.

We have become lazy in relying on technology to solve many problems. Sure, it may be part of the solution, but the biggest defense is to exercise that skull full of mush.

Posted by: TJ | January 18, 2007 9:12 PM | Report abuse

Shouldn't OUR Government law enforcement agencies be closing down RSA for aiding and abetting criminal action. Maybe better to increase their Corporate Taxes by 500% for the next ten years, and all Corporate Officers increase their Income Tax by 1000% for the next 20 Years.

Posted by: YDW | January 19, 2007 8:32 AM | Report abuse

Banks represent the richest organizations in the world and could have enabled secure credentials with ease. The crux is that the banking industry have no people with the guts and passion needed in order to establish infrastructures of this kind.

Posted by: AR | January 19, 2007 8:49 AM | Report abuse

One way to help non-savvy users avoid phishing scams is to setup a personal html page on their local PC with correct links to any site that they interact with (logon, buy things, etc.) and teach them to use ONLY those links to get to the sites. Also - encourage Amazon and others to use site-to-user authentication technology like Bank of America's SiteKey.

Posted by: MJF | January 19, 2007 9:07 AM | Report abuse

I don't understand why people think that SSL is the answer here - the MITM can open SSL connections to the faked site and grab any content, then send it over the the unsuspecting user using its own SSL certificate.

Posted by: Amos | January 22, 2007 8:18 PM | Report abuse

My first reaction was just like TJ, but then I thought about why my grandmother and mother should not be able to use the internet just b/c they don't have a BS in Comp. Sci.

The criminals have outpaced the technology. Time to start over...

Posted by: Kinda | January 25, 2007 2:55 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company