RSA Spots a New 'Chat in the Middle' Attack!

Just when you think you’ve seen it all, cyber criminals come up with some jaw dropping social engineering trick that demonstrates their ability to innovate and adapt.

RSA FraudAction Lab discovered an amazing new attack vector, which they dub “Chat in the Middle” phishing. It goes like this:

The victim gets a Phishing email that appears to be coming from a certain US-based financial institution. The spoofed website looks exactly like the regular bank website but as soon as the user completes the login credentials, a chat window pops up.

The fake chat “program” presents following text:

The fraud department of <name of bank> welcomes you. As part of our ongoing commitment to provide the “Best Possible” service and protection to all our customers and members, we are now requiring each member to validate their accounts. Please type your name, phone number and email so we can contact you in the morning for verification.

Unbelievable.

RSA did not name the targeted bank, but it’s clear this is the first in a series of attacks that will soon hit other financial services. With many banks starting to offer live Chat as a new, cost effective servicing tool within their online banking application, we’re bound to see more fraudsters piggybacking on this.

The current method does not require an actual live chat with a fraudster, although RSA did spot some live conversations; the user is typically supposed to complete the information and wait for the ‘fraud team’ to contact him or her. This guarantees scalability: you don’t need to chat with dozens of victims.

But an actual live chat with the victim can increase the response rate – especially if the victims wonder why they need to provide the additional data. This will require a sort of 24/7 criminal “ops center”. If you think this is stretching it too far, I’ll just mention that there’s already a telephony fraud ops center operating out of Moscow, which calls the bank on behalf of a foreign fraudster who doesn’t speak the local language; they support English, Italian and German. They charge $12/call for the service.

I also believe that eventually the main threat of Chat in the Middle will be in conjunction with Trojans, rather than Phishing. This is perfect social engineering: today’s Trojans do not give any visual cue that they ride the session with the bank. When the user attempts to access any information after logging in, the Trojan can trigger a chat window in which the fraudster will ask for additional data, including some ‘soft’ facts that can be later used with, say, the bank’s customer service department. Response rates should be alarmingly high.

I’d give a 80% chance that until mid of 2010, a similar trend will start with the Zeus and Sinowal Trojans which are already integrated with the Jabber IM.

In any event, Chat in the Middle is very clever and highly creative. It just shows what sort of arms race the industry faces, and makes another point for the approach it chose to take: fighting cyber crime by developing multiple lines of defense, and investing in cybercrime intelligence to spot emerging trends.