Jeff Robertson wrote:
Why are man-in-the-middle phishing sites suddenly talked about as a
"new" threat, as if there was rocket science involved?
For instance
http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs
_2factor_1.html
These things are basically proxies, which are as old as the web. Why
does it surprise anyone to see these combined with phishing? (Then
again, I still haven't figured out why phishing as we know it didn't
"take off" circa 1994)
Jeff Robertson
Yeah, there is nothing special about this.
At the time of the IE HTTPS Certificate attack
(http://security.e-matters.de/advisories/012001.html), I used a
transparent (arp-spoofing) MITM proxy to insert image requests for an
SSL page from the target into non-SSL pages that passed through my
proxy. After that, any subsequent requests for the targeted secure pages
(even via bookmark, etc), passed through my proxy, and I could
record/alter, etc any fields that I wanted to.
I guess one of the deterrents to using this technique is that the source
of all the connections would appear to come from a single IP. Of course,
it would not be too difficult to relay the connections via one or more
zombie computers, exactly as they do currently to harvest credentials.
This could introduce a lot of latency, which a user MIGHT notice.
Rogan
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
