New Phishing Tool- Pass-Thru Proxies

According to a story in the Register today, Phishers are going to be using a new tool in pursuit of your identities and credit card numbers. Rather than having to setup a website with a fake login screen to trick you into disclosing your login and passwords, the new tool will change a webserver into a transparent pass-thru proxy and simply record your credentials as you login to your actual account.

From the Reg here:

A new kit for sale in the digital underground makes it easier for fraudsters to run more sophisticated phishing fraud attacks.

The Universal Man-in-the-Middle Phishing Kit enables fraudsters to sit between prospective marks and legitimate businesses. Rather just setting up a bogus website that’s promoted through spam email, crooks set up a fraudulent website as a conduit through a legitimate website to communicate with their victims. The technology allows con men to automatically capture victims’ personal information in real-time.

The kit was discovered by the anti-fraud unit of RSA, the security division of EMC, after it came across a free trial on a online fraudster forums it monitors. For fraudsters the software offers a number of benefits that spell added danger for consumers and online banks, the typical target of phishing attacks.

For one thing, the kit can be easily configured to suit different targets. An attack can be configured to “import” pages from any target website. Unlike standard email scam attacks, which only collect specific requested data (typically login and card-related credentials), using the man-in-the-middle approach means its possible to intercept any type of credentials submitted to a target site.

This type of attack would even bypass the newer authentication types I wrote about yesterday.  It will also defeat Paypal’s new SecureID initiative.  So how do you avoid it? Just don’t access any online accounts by clicking a link in your email.