Paul Ducklin, Sophos plc Asia Pacific head of technology, said he first heard about real-world URL-based man-in-the-middle attacks during the Virus Bulletin 2006 conference held in Montreal.

Ducklin said it is unknown whether the phishing toolkit discovered by RSA fetches and relays current Web content to mimic the site does more sophisticated stuff like subverting token-based logons through acquiring and reusing one-time token data in real time.