Significant increase in free Man-in-the-Middle phishing kits available in the fraudster underground
(30/08/2007)

Online fraud is evolving. Phishing and pharming represent one of the most sophisticated, organized and innovative technological crime waves faced by online businesses. Fraudsters have new tools at their disposal; and are able to adapt more rapidly than ever.

Phishing kits, both “regular” and of the Man-in-the-Middle (MITM) variety, are a well known commodity in the online fraudster forums. Creators of phishing kits sell them online to the phishers themselves, who in turn use them to launch attacks against financial institutions. It is also very common to see phishing kits which are offered at no charge in the forums or in separate dedicated web sites.

Kits which are available for free in the underground can usually be found in online repositories – sites dedicated to offering several kits that attack multiple targets, typically created by the same fraudster. Links to these repositories are usually provided by the author in IRC chat rooms and online fraudster forums. Most of these kits include what fraudsters call a "backdoor" – a string of code embedded into the kit which sends the phishing “results” – i.e. the stolen credentials - not only to the user of the kit, but also to the creator of the kit. This is the main reason why the creators of kits offer them for free and with such enthusiasm.

Web sites that offer free phishing kits are not a novelty in the underground. They have been around for some time. However, recently RSA traced an interesting development in this area: The RSA FraudAction Intelligence team has noticed a rise in the number of repositories dedicated to providing free MITM kits. Looking at the kits themselves, RSA recently traced kits which target more than 10 of the world’s leading financial institutions.

MITM kits are now becoming more publicly available at no cost, which makes them an easily-obtained commodity by any fraudster, beginner or expert. Fraudsters can now access these repository sites, download a MITM kit, and launch an attack. Public availability of such kits may lead to an increase in the number of MITM phishing attacks.

The fact that these MITM kits are offered for free indicates that MITM attacks are now a common practice among fraudsters, and not something unusual (as was the case 6-12 months ago). This is no great surprise, as it was expected that the more obstacles fraudsters face, such as strong authentication for online banking, the more they will be forced to innovate and pursue alternative methods.

The growing adoption rate of MITM attacks is just one of the advances in phishing methods and online threats seen in the past year. The increase in MITM kits correlates with the increase in the discussions that the RSA FraudAction Intelligence team has monitored in the fraudster forums regarding MITM attacks – otherwise known as "curl attacks" in fraudster terminology.

Christopher Young, Vice President, Consumer and Access Solutions Group at RSA, recently commented on MITM attacks: “As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets. While these types of attacks are still considered ‘next generation’, we expect them to become more widespread over the course of the next 12-18 months.” Young added: “We are working with many organizations to ensure they are positioned to withstand whatever threats fraudsters may create. Some of these organizations have already deployed various layers of protection and others are in the process of strengthening their security.”

The RSA Anti-Fraud Command Center (AFCC) is a 24x7 war-room that detects, monitors, tracks and shuts down phishing, pharming and Trojan attacks against more than 200 institutions worldwide. The AFCC has shut down over 42,000 phishing attacks and is a key industry source for information on phishing and emerging online threats.