Researchers at RSA security research group said they’ve discovered a “Chat-in-the-middle” phishing attack in which a thief uses a chat channel to extract banking Web site security information from victims. Bank customers are lured into entering their usernames and passwords on a normal phishing site, then a phony live-chat support window opens and a fraudulent operator tries to extract even more banking credentials.
The researchers said they only found one instance of it and didn’t expect it to become widespread since it would be a time-consuming way for phishers to get information. They said they notified the one bank whose customers were targeted.
Thinking one step into the future, however, this technology could be exploited by thieves behind phishing scams recruiting “work-at-home” operators to take information from victims on chat, then relay it to them. Money mules and human captcha breakers are already providing similar “services.”
And, if you REALLY want to put on the tinfoil hat, consider the possibility of groups on the dark side recruiting “work at home” operators to provide all three services… with training courses and annual conferences at a resort in Odessa… and certification bodies… (God, I gotta stop reading this stuff!)