New phishing tool mimics logged in dashboards

Powered by SC Magazine
 

Plays on TSURT.

A new phishing techniques has emerged that tricks users into handing over credentials by mimicking popular website's user dashboards. 


A CBA phishing variant

The phishing attacks were generated by a Python tool which produced custom webpages designed to mimic websites like online banking and social networking sites. 

The developer of the tool, Australian researcher Jamieson O'Reilly, said the attacks exploit users who are accustomed to remaining signed into web sites via session cookies.

"The general user [finds] it normal to just open a browser and be already logged in which is where this vector takes advantage," O'Reilly said.

The Python-based tool, dubbed TSURT (trust in reverse) uses the open source web scrapy framework Scrapy to pull user information like logos or avatars from a target site which are then embedded in the phishing page.

This makes the phishing page appear as a legitimate logged in dashboard.

In a video demonstration, the tool pulls down a Facebook account profile picture which is then placed inside a fake Facebook dashboard screen featuring a fake private message.

Users tempted to click on the fake message are prompted to log into Facebook at which point their credentials are stolen.

O'Reilly says the Facebook template could be customised to suit a targeted attack on a variety of sites including online banking.

"The attack can be just as easily implemented to a banking site. If an attacker wants to do a targeted attack its not the hardest thing in the world to have access to basic creds like account number or BSB."

"If a victim saw this in a banking dashboard it would definitely raise less alarms alarms as opposed to usual phishing techniques which just rudely slap the user with a login page."

TSURT will be available on GitHub later today.

Copyright © SC Magazine, Australia


New phishing tool mimics logged in dashboards
 
 
 
Top Stories
Toll Group to go Google
Poaches Woolworths project manager.
 
How News Corp's CIO tackled skills in his race to the cloud
What to do when your team’s talents are no longer needed.
 
Photos: How Thodey transformed Telstra
From turbulent Trujillo to Australia's leading telco.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 3974

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1356

Vote