RSA Security Inc. is warning that phishers have developed a faster way to steal money.
The Bedford, Mass., vendor, a unit of EMC Corp., said last week that it had discovered online toolkits that can be used to log in to online banking sites the instant a customer's password is obtained.
Because passwords seldom change, criminals have not been in a rush to use stolen passwords; they could use the information at their leisure to try and drain an online banking account, or sell it to another criminal.
But as banks bolster security, with such techniques as one-time passwords and session monitoring, criminals have realized that they need to take advantage of the stolen data faster.
RSA said that the toolkits, known as a Universal Man-in-the-Middle Phishing Kit, are available for sale online and can be used with any bank's brand. The software can access a customer's account and send transaction instructions to a bank during the customer's banking session.
These scams are called "man in the middle" attacks because the fraudster places himself in the middle of an active session. If the fraudster is prompted for extra authentication, such as a challenge question or a request for a one-time password, the customer is available to answer it and allow further access.
