Fraudsters with little technical know-how are buying an online kit to set up sophisticated phishing attacks that will bypass online authentication protection.

The kit, dubbed the Universal Man in the Middle tool by security firms has been seen changing hands at online criminal underground forums by security company RSA Security.

The difference between this new tool and other phishing kits available warned Mikko Hypponen, chief research officer for security company F-Secure, is its level of sophistication.

The kits make it easy to configure spoof sites and fraudsters who want to initiate a phishing attack do not have to buy or prepare a custom phishing kit for each target.

The phishers can also bypass stronger two-factor authentication security measures that banks and some online retailers are beginning to put in place warned security experts.

This form of protection is not currently commonplace in the UK but banking payments organisation APACS has already approved standards for these devices.

Because of consumer fears, and the increase in online fraud, many banks such as Barclays and Lloyds TSB are considering rolling it out to their online banking customers.

They are considering devices such as card readers with rolling PINs or passwords that can only be used once during a log in or transaction. Alliance and Leicester has its own form of this protection.

However, the new attack could make this protection useless warned security experts. This is because the kit allows criminals capture and use victims' personal information online in real-time.

The new attack retains some of the old dodges; the victim gets the usual phishing email which, for example, tells them that their bank is upgrading its site. If the user wants to continue to bank online they are told to click on the link and verify themselves.

However, the spoof websites do not mimic a genuine site but 'import' and display the genuine site's information; effectively the spoof site acts as a channel through which all the information flows.

Although neither the victim nor the bank is aware of this, if a one-off PIN or password is asked for and given, it has to first go through the phishers. So not only is static data captured for possible future use, when the victim logs in to their account even using dynamic data means they take the phishers along with them.

An APACS representative said although its experts had seen this form of attack abroad, it hadn't been alerted to any problems with this form of phishing attack by UK banks.

"One thing to remember is it is technically complex and also labour intensive to carry out these attacks in real time. However, people should always make sure their PC is adequately protected and never click on an unsolicited email," the organisation said.

However, Mikko Hypponen warned that this kit was not necessarily being used by the technically competent criminal and many believe it and other kits like it could unleash the next generation of phishing attacks.

"RSA has seen this change hands but none of [the security companies] has been able to get their hands on it yet to see what else it can do. The phishers are doing their best to keep one step ahead of us," he said.