(via Schneier’s security blog)
In an effort to fool more people, phishers have taken to using man-in-the-middle attacks. In the past, if you thought a site was a scam or an email was a phishing attempt, you could enter bogus login information, see a success message, and know that the setup was a fake. Now Washington Post has an article about phishers putting up a fake site and passing login credentials on to the real host site (in this case a bank, but also sometimes ebay, paypal, Amazon, and more) and using the response to determine what you see in response. So if you enter bogus information, you will get a “Bad login” response from the fake host. If you enter real information, you’ll end up forwarded to the real login success screen on the real host and the phisher will have a confirmed account.
The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit — a tactic used by some security-savvy people — you might be fooled. That’s because this site acts as the “man in the middle” — it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.
By the way – Mr. Schneier predicted this last year (and really, it was a pretty obvious next step for phishers to take – I predicted it, too, but I’m not smart enough for anyone to listen to me).
[tags]Phishing, Online security, Computer fraud[/tags]