Researchers have devised a new way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website.
Dubbed "in-session" phishing
by web security firm Trusteer, the conceptualized attack leverages a vulnerability present in all major browsers that allows attackers to learn if a user is logged into a banking site.
If one page in a bank's website uses this function -- which is not that uncommon -- then it is possible to observe whether a particular user is simultaneously signed into that site Klein said.
Then, through the legitimate site that they already have compromised, the malicious individuals can display a pop-up box that appears to be coming from the bank, informing users they must re-enter their banking credentials.
"Instead of pushing these scams through emails, fraudsters found it more effective to capture the users when they browse to legitimate sites," Klein said. "So they are less suspicious of anything extraordinary on one hand, and email filters are simply out of the equation at the same time."
Internet Explorer, Mozilla Firefox, Safari and Google Chrome all are vulnerable, he said. Trusteer has notified the browser manufacturers about the flaw.
Avivah Litan, vice president and distinguished analyst at Gartner, said the Trusteer proof-of-concept is quite plausible and she has seen similar attack scenarios elsewhere.
"I think anyone that underestimates phishing attacks is making a big mistake because phishing is being combined with malware that renders most traditional secure controls useless, such as SSL
or strong authentication
," she said.
Banks must respond by implementing stronger fraud detection solutions that can pick up abnormal behavior to stop live attacks, Litan said.
Klein suggests users deploy web browser security tools and ensure they are logged out of their banking sites once they have finished there.