A New Way to Phish Could Hook Even Wary Users
A New Way to Phish Could Hook Even Wary Users
Posted 01/15/2009 at 3:06pm
| by Mark Edward Soper
6
Comments
Print
So, you've decided to log into your bank's website to figure out if you can afford the newest techno-bling shown at CES. Your bank gives you the nod, and you open up another browser tab (or window) to cruise over to your favorite tech reseller. After doing a few price and stock checks, a pop-up window appears: your bank session has timed out - and if you want to double-check your available credit or account balance, you need to log in again. Should you click and go?
If you shrug and say "sure," you'd probably be infected by the latest phishing method. As reported by ArsTechnica, "in-session" phishing doesn't use traditional methods such as fake emails or fake websites to do its dirty work. Instead, in-session phishing is the next step in exploiting legitimate sites that are infected by malware. This time, infected websites exploit a JavaScript flaw found in all popular browsers.
According to the security firm Trusteer (PDF), in-session phishing works this way:
The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.
This flaw (described by Trusteer in a deliberately vague way to avoid helping the bad guys), when combined with a legitimate website that's been infected, enables the infected website to spawn a pop-up that looks as if it's coming from the site you originally logged into. To make matters worse, Trusteer also says that the pop-up could also be something even more innocuous, such as an online survey or a mini-Flash game, instead of a prompt to log back in.
How big a threat is in-session phishing? The malware works if, and only if, you are logged into a legitimate site at the same time you access an infected site that is running malware configured to attack the site you're logged into. However, it could be significant - especially because it is launched while you're logged into legitimate websites. Until banks, e-commerce, and social-networking sites get around to warning users to avoid pop-up "relogins," protect yourself by logging off secure websites as soon as you've finished your business. If you really want to see your credit balance while you're shopping online, do it the old-fashioned way: make a printout, or save a tree and create a PDF file. Stay safe out there!
More like this
I Jedi
January 16, 2009 at 10:31pm
They just keep finding new and more innovative ways of taking my money and making a run for it. I, too, practice safe web browsing and contiously run anti-spyware, virus, etc, and I've still gotten hit before.
hg2WJW
January 16, 2009 at 1:14pm
I'm torn on this one. On the one hand this is useful info. On the other hand this is a pretty big pile of FUD.
Trusteer should give the full details. And it should provide a sample exploit like Secunia has been known to do.
The idea behind the example is to log onto a test Web site provided by the security firm so you can see exactly what the behavior is. That way you know what to look for. And you have not risked your system because there is no payload.
Mike
winmaster
January 16, 2009 at 9:07am
Dammit, if we can't trust expired logins, what can we trust? If it gets much worse, I may have to become Amish. (No, I don't know if I spelled Amish correctly)
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
shellpc
January 16, 2009 at 6:06am
Do popup blockers prevent this, like Firefox's? Or how about Noscript? As I use both.
Also, whenever my bank sessions do time out, I don't get a popup. The website logs me out to a session timed out page.If I suddenly started seeing session timed out popups I'd be pretty suspicious and not only not click em, but immediately run a virus and spyware scan.
Good info to know though, for sites that do use popups to inform you when your session timed out
Connect with MaximumPC
Featured Content
We introduce Intel's latest class of tablet killers and review 4 of the first Ultra...
Where have all the memorable videogame enemies gone?
This month's issue
Feature
11 Hardware Hacks
Feature
Overclock Your CPU
How-To
Supercharge Your Smartphone
Build It
A Powerful $830 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Multi-Monitor Usage On The Rise http://t.co/eWfJfCEG16 hours 4 min ago
- maximumpc: Windows 8 Consumer Preview Coming On February 29 http://t.co/3Nd04FdR21 hours 52 min ago
- maximumpc: Can RIM *ever* catch a break? Not today! App World numbers not as great as previously reported http://t.co/3ERRhr311 day 17 hours ago
