Malware, Network Security, Phishing, Vulnerability Management

New phishing ploy exploits secure sessions to hijack data

Researchers have devised a new way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website.

Dubbed "in-session" phishing by web security firm Trusteer, the conceptualized attack leverages a vulnerability present in all major browsers that allows attackers to learn if a user is logged into a banking site.

All criminals need to do is compromise a legitimate website with malicious JavaScript and wait for people to surf there, said Trusteer CTO Amit Klein. When users visit that site, the malcode will leverage a vulnerability in the way a certain function is implemented in popular browsers, he told SC MagazineUS.com on Monday.

If one page in a bank's website uses this function -- which is not that uncommon -- then it is possible to observe whether a particular user is simultaneously signed into that site Klein said.

Then, through the legitimate site that they already have compromised, the malicious individuals can display a pop-up box that appears to be coming from the bank, informing users they must re-enter their banking credentials.

"Instead of pushing these scams through emails, fraudsters found it more effective to capture the users when they browse to legitimate sites," Klein said. "So they are less suspicious of anything extraordinary on one hand, and email filters are simply out of the equation at the same time."

Internet Explorer, Mozilla Firefox, Safari and Google Chrome all are vulnerable, he said. Trusteer has notified the browser manufacturers about the flaw.

Avivah Litan, vice president and distinguished analyst at Gartner, said the Trusteer proof-of-concept is quite plausible and she has seen similar attack scenarios elsewhere.

"I think anyone that underestimates phishing attacks is making a big mistake because phishing is being combined with malware that renders most traditional secure controls useless, such as SSL, HTTPS or strong authentication," she said.

Banks must respond by implementing stronger fraud detection solutions that can pick up abnormal behavior to stop live attacks, Litan said.

Klein suggests users deploy web browser security tools and ensure they are logged out of their banking sites once they have finished there.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.