"I definitely think it's the start of something," Gartner analyst Avivah Litan said this morning. "I think it's going to escalate now."
First discovered by internet security firm Secure Science Corp. and reported by expert Brian Krebs in his blog in The Washington Post, the clever attack is among the first of its kind.
Scammers sent an email to users saying they needed to update their Citibank account information, the Post reported. Clinking on the supplied link redirected them to a site that appeared identical to the Citibusiness login page.
The spoofed URL communicates with the real site, inserting itself between the user and Citibank server, Litan said.
"The site asks for your username and password, as well as the token-generated key," Krebs wrote. "If you visit the site and enter bogus information to test whether the site is legit – a tactic used by some security-savvy people – you might be fooled. That's because the site acts as the "man in the middle" – it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real."
Litan said banks must take this new "next-generation" threat seriously, even though there have been relatively few. However, as Litan notes, when email phishing schemes began to take off several years back, Citibank was one of the early targets.
She recommends banks deploy fraud detection programs and controls that continuously authenticate users. Too much emphasis, she said, is placed on the initial login.
"If (Citibank) had that in place, they would have picked (the attack) up because they would have seen traffic coming in from another IP address or another server," Litan said.