New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims 71
chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
Re:Need better security (Score:4, Informative)
As far as I can tell the OTP calculators are only issued for business accounts, normal "end user" accounts have minimal provisions.
Here in the UK HSBC, Barclays and others issue OTP calculators to all their Internet banking customers.
Re:How are they validating ID? (Score:4, Informative)
I use precisely this technique for presenting discount vouchers to people who have signed up to a restaurant mailing list, identical system but for white hat purposes:
1 - send an email to the relevant contacts, including an embedded image at domain.com/voucher.php?id=xyz where "xyz" is a unique account ID.
2 - when the recipient receives the email the voucher that is displayed has their name on it, the image is generated on-the-fly using the unique ID to get the name right.
3 - (this is the important bit) - if anyone logs into domain.com/voucher.php without passing a correct ID then they simply see a voucher marked as invalid, and a link to where they can sign up. In my case it stops non-members getting a voucher, in the spammers case it stops a non-target (including investigators) from seeing the exploit being presented to a "customer", most likely someone from a list of known phishing mugs.