'Make your own man-in-the-middle attack' online kit found

 

Dan Kaplan Jan 10 2007 18:04

Fraudsters are hawking free trials of "universal" man-in-the-middle phishing kits through an online forum, security researchers said today.

RSA's Anti-Fraud Command Center (AFCC) discovered an internet forum populated by fraudsters that is offering a set of tools to create a man-in-the-middle scheme, according to a company news release.

The kit allows would-be attackers to create a bogus URL that communicates with both the end user and the legitimate website in real time, the release said. The scammer must first dupe the user into visiting the spoofed site.

These so-called universal phishing kits allow users to configure their attacks to take advantage of any target website, according to the release.

What makes man-in-the-middle attacks so troubling to security experts is that they allow hackers to continue to steal credentials even after the account holder has logged in, thus permitting the attacker to make an immediate financial transaction. In addition, because the fake site is communicating with the real one, it will alert users when they have incorrectly entered in their login details - thus enhancing the legitimacy of the scam.

Experts have said mutual authentication - in which both the client browser and the website must validate themselves - needs to be implemented to prevent against this new style of attack. Two-factor authentication won't cut it.

"As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets," said Marc Gaffan, director of marketing in the Consumer Solutions division at RSA. "While these types of attacks are still considered ‘next generation,' we expect them to become more widespread over the course of the next 12 to 18 months."

Amazon.com and Citibank have become recent man-in-the-middle victims.

Bron: SC Magazine