Share
A new Phishing attack, targeted at online banking consumers, has been discovered by researchers at the RSA FraudAction Research Lab. The Phishing attempt starts the same way, with an email or link taking potential victims to a clone of a banking portal, but adds a new attack vector by adding live chat to the fraudulent site.
Phishing gets a facelift with chat-in-the-middle attacks. (IMG:J.Anderson)
RSA, after discovering the new attack, dubbed it “chat-in-the-middle”. It’s a new layer of Phishing fraud, where the criminals target more then the normal user name and passwords expected when Phishing for bank customers, by offering a helpful chat session to the person on the site.
During a visit to the Phishing page, the targeted victim is presented with a chat window by someone posing as a representative of the bank’s fraud department. During the chat session, the fraud department employee will ask for more than just a username and password.
“The fraudster presents himself as a representative of the bank's fraud department, claiming that the bank is "now requiring each member to validate their accounts". The fraudsters then collect additional information pertaining to the user - name, phone number, and email address,” RSA said in their warning on the issue.
RSA also discovered that the Phishing Kit that offers this new line of Phishing attack comes complete with variations on the chat window. They said that at the present, U.S.-based banks are the targets of this new Phishing vector. The U.S. bank identified when the chat session was discovered has been alerted and the Phishing site shutdown.
Since the criminal behind the chat session is getting data in real time, the level of information they collect will likely hold more value when it is sold to others. Moreover, RSA said that while the attack was still under investigation, they have, “…no information showing that the fraudster behind the Chat-in-the-Middle attack is using the victim's stolen credentials to log in to the compromised accounts in real time.”
If there is any good news to this new level of Phishing attack, it is that there has been only one instance of it being used. The problem is that the code is out there, and it will be used again.
Like other Phishing-related advice, no bank will ask for personal or security related information over email, and they certainly will not ask for this information over a chat session online. If you are prompted for this information by anyone at your bank via email or chat session, close the browser and call your bank directly and tell them what you discovered.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story