DigitalTransactionNews is reporting:
RSA Security Inc. on Wednesday announced its analysts had discovered a powerful new phishing tool fraudsters are selling via online forums and using to hoodwink consumers. The tool, which RSA calls a “universal man-in-the-middle phishing kit,” allows phishers to set up a URL that can interact in real time with the actual content of the Web site of a targeted brand, such as a bank or e-commerce site. In this way, the fraudsters can intercept any data consumers may enter at the log-in or checkout pages of these sites. They then send out phishing e-mails embedded with links that send recipients to the fake URL, where the user can see an organization’s legitimate Web site but where any information he enters will be hijacked by the fraudsters as he types it.
The new tool is especially insidious, says RSA, because of its all-purpose nature. Fraudsters can use it to target any Web site without having to customize or create a tool for each brand. Also, the tool collects all data users enter, including all information the user types in after logging in. Typically, phishing attacks gather only data they request, usually passwords, PINs, or credit and debit card account numbers.
DigitalTransactionNews article, here.
I first read about the man in the middle phishing attack when it was discovered at CastleCops by PIRT (Phishing Incident Reporting and Termination Squad) and reported by Internet crime writer Brian Krebs of the Washington Post, here.
PIRT is a great place to report suspected phish. They have a lot of dedicated personnel that fight phishing!
It's a shame that these Internet crime forums are allowed to continue operating. It's even been reported that one of them is being "hosted" in the Islamic Republic of Iran.
And Internet crime isn't the only problem that Iran is hosting. I'm sure some of our brave troops in Iraq and Afghanistan could attest to that.
Until we go after the sources of this problem, I have a "bad feeling" that Internet crime will continue to grow.
The FTC was recently given greater powers to follow Internet criminal activity across borders. Maybe laws like these will enable the "good guys" to start having a more "lasting" effect on the people behind the problem.