Lavasoft News - February 2007

Staying Out of the Phisher-man's Net

As we reported in November's issue of Lavasoft News, phishing scams, most often fraudulent e-mails that dupe users into giving up their personal information by masquerading as legitimate institutions, were one of 2006's major cyber security issues.

A new type of phishing attack, expected to be lucrative in 2007, is a slight variation, acting as a middle man between the victim and the genuine website.

Encryption company RSA discovered a "universal" man-in-the-middle phishing kit being hawked in online forums. The kit allows the attackers to create bogus URLs that communicate with both the end user and the legitimate website in real time.

Standard phishing attacks only collect specific requested data (usually login and card-related info), but this form actually intercepts any type of credentials submitted to the site after the victim has logged into his or her account.

The victim receives a normal looking phishing e-mail and when they click on the link they are directed to the fake site. The victim then interacts with genuine content from the legitimate website - which has been 'imported' by the attack into the phishing URL. This means the fraudster can make an immediate financial transaction.

PayPal, whose website is often spoofed by phishers hoping to steal user account information, is doing its best to keep its customers from taking the bait. It plans to offer a new two-factor authentication system for $5 US. The security key is a small electronic device that calculates a new numeric password every 30 seconds. Logging onto the online payment service will require users to enter their regular passwords as well as the number displayed on the key.

"If you fall for a phishing scam and give away your user name and password...if you used the Paypal Security Key, a third party couldn't get to your account because they wouldn't have this dynamic digit," said Sara Bettencourt with PayPal.

The key will be beta-tested over the next few months with a public release later this year.

Several financial institutions, which are also often the targets of phishers, are testing similar one-time password products, like VeriSign's tokens. A select number of banks in the U.S. are also testing new software called BioPassword that resides on the web servers of the banks, analyzing typing rhythms to allow or deny access.

These products, designed to add a second layer of authentication to online transactions, come as new federal guidelines in the United States are calling on banks to establish multi-layer authentication security protocols for customer log-ins.

"As institutions put additional online security measures in place, inevitably the fraudsters are looking at new ways of duping innocent victims and stealing their information and assets," said Marc Gaffan, director of marketing in the Consumer Solutions division at RSA.

"While these types of attacks (man-in-the-middle attacks) are still considered 'next generation,' we expect them to become more widespread over the course of the next 12 to 18 months."

As long as there are groups like Rock Phish around, the banks should definitely be implementing several layers of security. Experts estimate this group is one of the most prominent in operation today, costing financial institutions like Citibank and Deutsche Bank, more than $100 million US to date.

A real cause for concern is Rock Phish's ability to stay one step ahead of the game. According to Symantec's Zulfikar Ramzan, just as browsers have been building phishing filters into their products, the group is already hard at work creating URLs so its messages can fly under the "blacklist" radar of identified phishing addresses.

If the messages keep getting through and people keep clicking, the phishers' catch in 2007 will be big. Gartner estimates financial losses due to phishing totaled $2.8 billion US last year.

Home  arrow

Trophy Image
Extra! Extra!
Ad-Aware Breaks Records at
Read all about it here.
More than 3/4 of Americans are net users, spending an average of 8.9 hours online a week. For the first time in 2006, the number of women logging on equaled the number of men.
Source: Survey from the Center for the Digital Future
Cookie Image
Term(s) of the Month
A cookie is a piece of data that a website saves on a user’s hard drive and retrieves when the user revisits that site. It may use a unique identifier that links to login data, preferences, etc. A tracking cookie is any cookie used for tracking users’ surfing habits. They are typically used by advertisers wishing to analyze and manage advertising data. Read more in Lavasoft’s Spyware Glossary.
Tech Tips
Did you know that the Lavasoft Support Forums are the perfect place to go for up-to-date technical advice? Forums Administrator Janie Whitty, aka Calamity Jane, checks all new posts made. Lavasoft staff members regularly go in to read and post. We also have a team of international volunteers who help our users with their questions and concerns. If you do not already have an account sign up today at There are currently more than 15,000 registered members!
Letters to the Editor
Thanks to all of you who wrote to us with your thoughts on spam and the future of e-mail. Spam definitely gets people talking. Read some of your letters here.
Text Size
If you think the text size on the back pages of Lavasoft News is too small, remember you can adjust the sizing in your browser when reading our newsletter online here.
Lavasoft AB
Lilla Bommen 1
411 04 Gothenburg
Page footer
Home HomeAbout LavasoftPrivacy Policy