14 DAY TRIAL // Security researchers have identified what is probably the first case of a phishing scheme including a live-chat component. The attackers pose as bank representatives and try to talk their victims into disclosing their personal information.
The new scam was discovered by researchers from the RSA FraudAction Research Lab, who dubbed it "Chat-in-the-Middle phishing." At the moment, this attack targets a single financial institution based in the United States, but use of the underlying phishing kit is expected to spread in the near future.
The scam starts as any regular phishing scam with social engineering being used to trick the user into visiting a fake Web page masquerading as the real bank's website. Once arrived on this page, a potential victim is presented with a login form and is asked to authenticate. Any inputted credentials are then forwarded to the attackers.
At this point, depending on the purpose of the attack, the victim is either directed to the original website in order to have them believe that their login attempt failed, or the phishing scheme continues to display more fake pages. However, during this new scheme, the rogue authentication form is followed by a live chat session starting inside the browser window and a secondary, social-engineering component kicks in.
The live chat is actually connecting the victim to a fraudster who claims to be a bank representative. Invoking a newly enforced bank-account validation policy, they ask the unsuspecting user for their personal information, such as the real name, phone number or email address and informs them that they will be contacted at a later time.
According to the RSA researchers, this particular attack "is hosted on a well-known fast flux network," while the chat messages "are processed in the background through a Jabber module located on the fraudster’s computer." The Jabber instant messaging protocol allows the attacker to manage multiple chat sessions at the same time using a locally installed client.
"While at this point RSA has witnessed only a single instance of this attack, we are recommending extra vigilance to operators of all online banking websites and other websites where user credentials are targeted. This includes, but is not limited to, informing customers to be aware of unusual online chat activity and to remind them that their bank and most other websites will never ask them to divulge information concerning their username/password or challenge/response questions," the researchers advise.