New phishing ploy exploits secure sessions to hijack data

Share this article:
Researchers have devised a new way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website.

Dubbed "in-session" phishing by web security firm Trusteer, the conceptualized attack leverages a vulnerability present in all major browsers that allows attackers to learn if a user is logged into a banking site.

All criminals need to do is compromise a legitimate website with malicious JavaScript and wait for people to surf there, said Trusteer CTO Amit Klein. When users visit that site, the malcode will leverage a vulnerability in the way a certain function is implemented in popular browsers, he told SC MagazineUS.com on Monday.

If one page in a bank's website uses this function -- which is not that uncommon -- then it is possible to observe whether a particular user is simultaneously signed into that site Klein said.

Then, through the legitimate site that they already have compromised, the malicious individuals can display a pop-up box that appears to be coming from the bank, informing users they must re-enter their banking credentials.

"Instead of pushing these scams through emails, fraudsters found it more effective to capture the users when they browse to legitimate sites," Klein said. "So they are less suspicious of anything extraordinary on one hand, and email filters are simply out of the equation at the same time."

Internet Explorer, Mozilla Firefox, Safari and Google Chrome all are vulnerable, he said. Trusteer has notified the browser manufacturers about the flaw.

Avivah Litan, vice president and distinguished analyst at Gartner, said the Trusteer proof-of-concept is quite plausible and she has seen similar attack scenarios elsewhere.

"I think anyone that underestimates phishing attacks is making a big mistake because phishing is being combined with malware that renders most traditional secure controls useless, such as SSL, HTTPS or strong authentication," she said.

Banks must respond by implementing stronger fraud detection solutions that can pick up abnormal behavior to stop live attacks, Litan said.

Klein suggests users deploy web browser security tools and ensure they are logged out of their banking sites once they have finished there.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.