Subscribe
Blog / Podcast Readers
NEWSGATOR YAHOO
BLOGLINES ITUNES
DEL.ICIO.US DIRECT RSS

"Chat-in-the-Middle" Phishing Attack Attempts to Steal Consumers' Data via Bogus Live-Chat Support

by RSA FraudAction Research Lab on 9/16/2009
Topics: Identity Protection | Man in The Middle | Online Fraud, Fraudsters | Phishing

A new, unique type of phishing attack targeted against online banking customers was recently discovered by the RSA FraudAction Research Lab. RSA has coined this as a "Chat-in-the-Middle" phishing attack and it is first executed through routine means but then presents a more advanced layer of perpetrating online fraud. The phishing attack may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank's fraud department and attempts to dupe customers who are online into divulging sensitive information - such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.

Upon detecting the attack RSA immediately informed the affected financial institution and commenced a standard phishing attack shut-down procedure through the RSA Anti-Fraud Command Center and its RSA FraudAction service. (RSA cannot identify this bank in order to protect its security and privacy.) The attack is hosted on a well-known fast flux network for "hire" from fraudster to fraudster, which hosts a wealth of malicious websites such as phishing attacks, Trojans infection points, mule recruitment websites, and more.

The Design of the Attack
The phishing attack starts out as a normal phishing website (figure1) that prompts customers for their usernames and passwords. Usually at this point, after providing access credentials, phishing victims are redirected either to the next page (or pages) of the phishing website or to the genuine bank website. However, this attack proceeds with a new, advanced technique for obtaining additional information on victims – instead of being redirected to the next page of the phishing kit or the genuine site, a fake live-chat support window appears launched by the fraudster as part of the attack (Figure 2).

Figure 1: The First Stage of the Chat-in-the-Middle Phishing Attack

Figure 2: The Bogus Live-Chat Support Window:
The Second Stage of the Chat-in-the Middle Phishing Attack

Through social engineering, the fraudster attempts to obtain further information from the victim over the live chat platform. The fraudster presents himself as a representative of the bank's fraud department, claiming that the bank is "now requiring each member to validate their accounts". The fraudsters then collect additional information pertaining to the user - name, phone number and email address. These details may facilitate online or phone fraud against the user's account, and are possibly used for contacting the customer at a later stage as suggested in the chat window.

It seems that the live chat window within this phishing kit is constantly changing. Other versions that we tracked of the same kit featured a different text messages in the chat window, and an interactive chat between the fraudster and phishing victims.

Figure 3: Bogus Live-Chat Support Window:
Another Version of the Same Chat-in-the-Middle Attack

(It is important to note that the live chat window is launched by the fraudster, and bears absolutely no relation to any Instant Messaging (IM) application whatsoever that may be located on the victim's computer. The attack is not launched through IM, but through a normal phishing site, and IM applications are not targeted.)

Jabber IM, Yet Again
While the fraudster chats with the victim through the bogus live chat window, the chat messages are processed in the background through a Jabber module located on the fraudster’s computer. Jabber is an open source instant messaging (IM) protocol, which has recently been gaining popularity among fraudsters for the purpose of receiving stolen credentials in real time. As we reported in our previous blog post, the last time we came across Jabber it was used to forward stolen credentials in real time from a Zeus Trojan’s drop server to Trojan herders. While the browser-based chat window does not require victims to have Jabber or an IM application installed on their computer, Jabber is used by the fraudster to manage the one-on-one chat on the back-end.

The live chat tactic also ensures that the compromised information is delivered to the fraudster in real time - a necessary feature in attack scenarios that require real time access to the victim's account. While the attack is under investigation, RSA currently has no information showing that the fraudster behind the Chat-in-the-Middle attack is using the victim's stolen credentials to log in to the compromised accounts in real time.

While at this point RSA has witnessed only a single instance of this attack, we are recommending extra vigilance to operators of all online banking websites and other websites where user credentials are targeted. This includes, but is not limited to, informing customers to be aware of unusual online chat activity and to remind them that their bank and most other websites will never ask them to divulge information concerning their username/password or challenge/response questions.

Comments
systemrecure

I got a call from system recure,they requested and I allowed remote access to my pc. They said they were with my online service provider,I trusted them,I don't know if they're legit or a scam,how do I tell if they caused any harm?

- ahill
systemrecure

We recommend you contact your Internet Service Provider ("ISP") and inquire if they initiated any remote support activities on your behalf. They should have detailed records if they did; otherwise they will be very interested in your story and can likely provide some direct consultation in support.

- RSA Fraud Action Research Lab
Clarification

I am looking for some clarification on the following phrase:
"The phishing attack may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters."
Does this mean that the user must first navigate to a compromised/hostile website?

- Some guy
Clarification

The assumption of this kind of attack is the victim must first be duped into visiting the phishing/scam site, from which the chat functionality is launched.

- RSA FraudAction Research Lab

Post A Comment

Your Name
Your Email Publish email?: Yes No
Your Blog
Subject
Comment
Verification Word
© 2010 RSA Security. All rights reserved | Privacy | Legal | Site Map

RSA, The Security Division of EMC, provides Secure Data, Compliance, SIM, SEM, SIEM, PCI, Consumer Identity, Two-Factor Authentication, Custom Applications, Consulting, Assessment, and other security solutions and services to over 90% of the Fortune 500.
 
Access Control |  Authentication and Identity Assurance |  Credential Management |  Data Loss Prevention |  Data Encryption and Key Management |  Fraud Prevention |  Security Information and Event Management |  Log Management |  IT Compliance |  ISO 27002 Compliance |  Information Risk Management for Financial Services |  Payment Card Industry Data Security Standard | 
 
RSA Access Manager
RSA BSAFE
RSA eFraudNetwork
 RSA Data Loss Prevention
RSA Consumer Solutions
RSA FraudAction
 RSA Digital Certificate Solutions
RSA Encryption/Key Management
RSA Enterprise Data Security
 RSA enVision
RSA SecurID
RSA Smart Cards

 RSA Federated Identity Manager
RSA Adaptive Authentication