Want CNET to notify you of price drops and the latest stories?

New tool enables sophisticated phishing scams

Tool automatically creates dynamic phishing sites that pull in data from the target Web site, RSA says.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Security experts at RSA have come across a new tool that automatically creates sophisticated phishing sites, a sign that cybercrooks are getting increasingly professional.

The tool, which RSA calls the "Universal Man-in-the-Middle Phishing Kit," is available on underground online marketplaces for about $1,000, Jens Hinrichsen, RSA's product marketing manager for fraud auction, said in an interview Wednesday.

"Unlike other phishing kits which have been in existence for quite some time, this kit is unique because with a very simple user interface you can choose whatever site you'd like to spoof," Hinrichsen said. "The arms race continues; we on the security side have to continue to escalate resources and invest in technology."

Phishing scams are a prevalent online threat that typically use fraudulent Web pages and spammed e-mail messages to trick people into giving up personal information such as user credentials or credit card data.

Using the new kit, a fraudster only has to enter variables such as which site should be spoofed and where the fraudulent page will be hosted. The tool then produces a dynamic Web page in the PHP (hypertext preprocessor) scripting language. The fraudster hosts this page somewhere on the Web, typically on a compromised Web server or a free Web host, and lures people to it with spammed e-mail messages or other links.

Unlike traditional phishing Web sites that have static Web pages designed to look like a real online bank or other trusted site, the dynamic page created by the phishing kit actually pulls in the current Web site of the target organization and displays it. However, any data entered is captured by the miscreants, Hinrichsen said.

"Once you enter your credentials, it would be intercepted by that server where the PHP file is hosted," he said. At the same time, the victim is actually logged in to the legitimate site and may never know he's been phished.

Shrewd phishers monitor the log-in process to validate that the data they capture is legitimate, Hinrichsen said. An incorrect username and password combination would be discarded. Also, the man-in-the-middle-style attack lets the miscreants continue to eavesdrop on the victim's interactions with the legitimate Web site, according to RSA.

The most popular phishing targets are banks and online payment services such as PayPal. Auctioneer eBay is also a common target. Fraudsters run phishing scams to collect personal information that can be used for identity fraud.

Phishing protection is becoming common. The latest versions of Firefox and Internet Explorer include phishing shields. Also, security firms such as Symantec and McAfee sell antiphishing software.

Protection technologies typically rely on a list of known bad Web sites and display a warning when a user surfs to one of those. This means, however, that a brand-new fraudulent site won't be detected. In general, people should be cautious when following links to any site that requires a log in. It is better to type in the address or use a bookmark.