The fraudsters open an instant messaging window that looks like a live chat support, to obtain even more information from online banking customers by posing as a representative of the bank’s fraud department.
RSA said the chat-in-the-middle phishing attack is currently targeting a single US-based financial institution. RSA could not disclose the identity of the financial institution for security reason, but said it had warned the organization and that a standard phishing attack shut-down procedure was commenced.
The phishing attack is hosted on a well-known fast-flux network for ‘hire’ from fraudsters to fraudsters which hosts a range of malicious websites such as phishing websites, Trojan infection points, mule recruitment websites, etc. Fast-flux networks produce an advanced Denial of Service (DoS) technique utilizing a botnet to host and deliver phishing and malware websites.
During the chat, the chat messages are processed in the background through a Jabber module located on a fraudster’s computer. Jabber is an open source instant messaging protocol popular among fraudsters to facilitate the receiving of stolen credentials in real-time.
“The live chat also ensures that the compromised information is delivered to the fraudster in real-time – a necessary feature in an attack scenario that require real-time access to the victim’s account,” RSA said.
In its August 2009 online fraud report, RSA said the number of phishing attacks rose 22% in August 2009 compared to August 2008. Standard phishing attacks were up 2%, whereas fast-flux attacks jumped 38% - the majority of the fast-flux attacks were perpetrated by the infamous Rock Phish gang.