New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims

chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."

Need better security

[rdebath]

It looks like banks and gov departments can no longer be trusted as normal web sites. They have to be setup to be only available through SSL and must use client certificates for authentication with some way of verifing that the server certificate matches the client certificate.

Only then could the software (possibly a custom configuration of a web browser, maybe an normal one) actually be sure of defeating a phishing attack.

Of course the main reason it'd work is that with a client certificate there's no password to "phish" for.

Something tells me that the banks are too lazy to do this; every other web site will have to be SSL before they get on the bandwaggon.

Re:Need better security

[Sepodati]

They need to do like European banks and issue keypads that generate one-time codes in conjuction with the card.

Re:Need better security

[Anonymous Coward]

US banks are so uncaring about user's security. Even in third-world countries like Indonesia, all major banks have incorporated token/OTP (or at least SMS) for all personal/business accounts.

Does this really work though?

[DrXym]

I expect antivirus companies, just like government agencies have registered hundreds or thousands of email addresses all over the world on different service providers and domains with the express purpose of harvesting spam. Therefore they're likely to receive legitimate links to phishing sites or be able to identify ones which are protected by per-mark unique urls. And of course the likes of Google, Microsoft, Yahoo et al who run their own webmail services could roll as many spam traps as they liked and analyse spam going to users too.

So while it might afford some protection to the phishing site, it doesn't seem very likely that it would protect them from further scrutiny.

I think a bigger benefit for phishers is they can identify users who click on these links they can focus their attention on them rather than on users who don't. Somebody dumb enough to click on these links and fill in data is obviously a more valuable target than someone who never responds.

Personally I think the best way to combat phishers would be for major mail providers to work with banks and credit institutions to poison phishing sites with bogus data and flagged cards / accounts.

Re:Need better security

[neyla]

Not at all. BankID, the dominant form of bank-authenthication in Norway issues OTP-calculators to everyone, including average private people with a perfectly ordinary account.

As an alternative, they have a solution where the SIM-card in your mobile-phone is used by an app to authenthicate you.

In both cases the same thing is true: logging in to your bank requires knowledge of your passphrase -- but *also* physical possession of a object - so a phisher would need to get both somehow, in order to be able to impresonate you.

It might not make phishing impossible, but it does make it a lot more difficult.

Re:How are they validating ID?

[Abstrakt]

So which is it? Aren't they using IP addy to verify the identity of the sucker? Or is their some other source (their unique URL that they post)?

We've started seeing some of these newfangled phishing emails over the last few days. The victim's email address is used as an identifier. It is simply appended to the URL by the mailer bot, so that the link sent to the victim will look something like this:

hxxp://compromisedsite.ru/joe33/somebank/?victim@gmail.com

That URL would lead to a script hosted on a compromised site, which looks up the email address in a whitelist before serving either a credential-collecting scam page or a bogus 404 error.

But this is all very basic stuff, and it is not hindering forensic investigators in the least. The folks investigating such scams don't just stumble upon them by accident; they rely instead on vigilant users and admins who take the time to report phishing emails. Once they get a report they already have a whitelisted URL to begin with.