A new, unique type of phishing attack targeted against online banking customers was recently discovered by the RSA FraudAction Research Lab. RSA has coined this as a “Chat-in-the-Middle” phishing attack and it is first executed through routine means but then presents a more advanced layer of perpetrating online fraud. The phishing attack may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.
During the live chat session, the fraudster behind the attack presents himself as a representative of the bank’s fraud department and attempts to dupe customers who are online into divulging sensitive information – such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.
Upon detecting the attack RSA immediately informed the affected financial institution and commenced a standard phishing attack shut-down procedure through the RSA Anti-Fraud Command Center and its RSA FraudAction service. (RSA cannot identify this bank in order to protect its security and privacy.) The attack is hosted on a well-known fast flux network for “hire” from fraudster to fraudster, which hosts a wealth of malicious websites such as phishing attacks, Trojans infection points, mule recruitment websites, and more.
The Design of the Attack
The phishing attack starts out as a normal phishing website (figure1) that prompts customers for their usernames and passwords. Usually at this point, after providing access credentials, phishing victims are redirected either to the next page (or pages) of the phishing website or to the genuine bank website. However, this attack proceeds with a new, advanced technique for obtaining additional information on victims – instead of being redirected to the next page of the phishing kit or the genuine site, a fake live-chat support window appears launched by the fraudster as part of the attack (Figure 2).
Figure 1: The First Stage of the Chat-in-the-Middle Phishing Attack
Figure 2: The Bogus Live-Chat Support Window:
The Second Stage of the Chat-in-the Middle Phishing Attack
Through social engineering, the fraudster attempts to obtain further information from the victim over the live chat platform. The fraudster presents himself as a representative of the bank’s fraud department, claiming that the bank is “now requiring each member to validate their accounts”. The fraudsters then collect additional information pertaining to the user – name, phone number and email address. These details may facilitate online or phone fraud against the user’s account, and are possibly used for contacting the customer at a later stage as suggested in the chat window.
It seems that the live chat window within this phishing kit is constantly changing. Other versions that we tracked of the same kit featured a different text messages in the chat window, and an interactive chat between the fraudster and phishing victims.
Figure 3: Bogus Live-Chat Support Window:
Another Version of the Same Chat-in-the-Middle Attack
(It is important to note that the live chat window is launched by the fraudster, and bears absolutely no relation to any Instant Messaging (IM) application whatsoever that may be located on the victim’s computer. The attack is not launched through IM, but through a normal phishing site, and IM applications are not targeted.)
Jabber IM, Yet Again
While the fraudster chats with the victim through the bogus live chat window, the chat messages are processed in the background through a Jabber module located on the fraudster’s computer. Jabber is an open source instant messaging (IM) protocol, which has recently been gaining popularity among fraudsters for the purpose of receiving stolen credentials in real time. As we reported in our previous blog post, the last time we came across Jabber it was used to forward stolen credentials in real time from a Zeus Trojan’s drop server to Trojan herders. While the browser-based chat window does not require victims to have Jabber or an IM application installed on their computer, Jabber is used by the fraudster to manage the one-on-one chat on the back-end.
The live chat tactic also ensures that the compromised information is delivered to the fraudster in real time – a necessary feature in attack scenarios that require real time access to the victim’s account. While the attack is under investigation, RSA currently has no information showing that the fraudster behind the Chat-in-the-Middle attack is using the victim’s stolen credentials to log in to the compromised accounts in real time.
While at this point RSA has witnessed only a single instance of this attack, we are recommending extra vigilance to operators of all online banking websites and other websites where user credentials are targeted. This includes, but is not limited to, informing customers to be aware of unusual online chat activity and to remind them that their bank and most other websites will never ask them to divulge information concerning their username/password or challenge/response questions.