A new 'Chat-in-the-Middle' fraud tactic was recently discovered by the RSA FraudAction Research Lab, according to which the phishing site intercepted is using the hosting services of a well known managed cybercrime network, with the campaign itself in an apparent test mode since they've only detected a single instance of the attack.
Here's how it works, and why going mainstream with such a feature from a phisher's perspective may in fact make their phishing campaign a less profitable, and much more time-consuming process than it currently is:
Basically, the prospective victim receives a phishing email detailing a compromise at the targeted financial institution or request for personal data confirmation, requiring them an enter their authentication details and personal identification on a phishing site. Once the prospective victims visit the site, a Live Chat box pops-up with a "phishing assistant" attempting to walk you through the process of having your bank account compromised:
Through social engineering, the fraudster attempts to obtain further information from the victim over the live chat platform. The fraudster presents himself as a representative of the bank's fraud department, claiming that the bank is "now requiring each member to validate their accounts". The fraudsters then collect additional information pertaining to the user - name, phone number and email address. These details may facilitate online or phone fraud against the user's account, and are possibly used for contacting the customer at a later stage as suggested in the chat window.
Certain phishing gangs are known to understand the basics of quality assurance in the past, with the majority of their DIY (do-it-yourself) phishing pages coming with built-in credit card validation checks in order to ensure that no bogus financial will be submitted, thereby requiring time and resources to sort out the real phished data. In this sense, is the newly introduced 'Chat-in-the-Middle' fraud tactic yet another featured released with quality assurance in mind, or is it an experiment whose lack of efficiency-oriented approach common for cybercriminals will spell its demise?market segmentation approaches combined with translated phishing pages to the native language of the prospective victim.
Underground social engineering services on demand have been available for years. Last year, a newly launched such service was offering "social engineering services over the phone" doing exactly what the people behind the 'Chat-in-the-Middle' are attempting to do. The service is offering male and female voices in five different languages, and is charging $9 per call, appears to have been launched in order to break the language barrier for cybercriminals.
However, if a mainstream phishing gang using mass marketing practices and not relying on targeted attacks were to implement a Live Chat and a "phishing campaign assistant", it would undermine one of their key success factors - the volume of the campaign and the millions of emails sent where even if a small number of victims get phished it would still mean a profit for them. A profit they would have to share with the "Live phishers".
Phishing stats graph courtesy of Symantec's August Spam Report.