A New Way to Phish Could Hook Even Wary Users
Posted 01/15/09 at 05:06:10 PM by Mark Edward Soper
Comments
Print
Email
So, you've decided to log into your bank's website to figure out if you can afford the newest techno-bling shown at CES. Your bank gives you the nod, and you open up another browser tab (or window) to cruise over to your favorite tech reseller. After doing a few price and stock checks, a pop-up window appears: your bank session has timed out - and if you want to double-check your available credit or account balance, you need to log in again. Should you click and go?
If you shrug and say "sure," you'd probably be infected by the latest phishing method. As reported by ArsTechnica, "in-session" phishing doesn't use traditional methods such as fake emails or fake websites to do its dirty work. Instead, in-session phishing is the next step in exploiting legitimate sites that are infected by malware. This time, infected websites exploit a JavaScript flaw found in all popular browsers.
According to the security firm Trusteer (PDF), in-session phishing works this way:
The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.
This flaw (described by Trusteer in a deliberately vague way to avoid helping the bad guys), when combined with a legitimate website that's been infected, enables the infected website to spawn a pop-up that looks as if it's coming from the site you originally logged into. To make matters worse, Trusteer also says that the pop-up could also be something even more innocuous, such as an online survey or a mini-Flash game, instead of a prompt to log back in.
How big a threat is in-session phishing? The malware works if, and only if, you are logged into a legitimate site at the same time you access an infected site that is running malware configured to attack the site you're logged into. However, it could be significant - especially because it is launched while you're logged into legitimate websites. Until banks, e-commerce, and social-networking sites get around to warning users to avoid pop-up "relogins," protect yourself by logging off secure websites as soon as you've finished your business. If you really want to see your credit balance while you're shopping online, do it the old-fashioned way: make a printout, or save a tree and create a PDF file. Stay safe out there!
They just keep finding new
Submitted by I Jedi on Fri, 01/16/2009 - 10:31pm
They just keep finding new and more innovative ways of taking my money and making a run for it. I, too, practice safe web browsing and contiously run anti-spyware, virus, etc, and I've still gotten hit before.
Torn
Submitted by hg2WJW on Fri, 01/16/2009 - 1:14pm
I'm torn on this one. On the one hand this is useful info. On the other hand this is a pretty big pile of FUD.
Trusteer should give the full details. And it should provide a sample exploit like Secunia has been known to do.
The idea behind the example is to log onto a test Web site provided by the security firm so you can see exactly what the behavior is. That way you know what to look for. And you have not risked your system because there is no payload.
Mike
Holy Shit!
Submitted by winmaster on Fri, 01/16/2009 - 9:07am
Dammit, if we can't trust expired logins, what can we trust? If it gets much worse, I may have to become Amish. (No, I don't know if I spelled Amish correctly)
--------------------------------------------------------------------------------------------------
The quick brown fox jumps over the lazy dog.
Submitted by shellpc on Fri, 01/16/2009 - 6:06am
Do popup blockers prevent this, like Firefox's? Or how about Noscript? As I use both.
Also, whenever my bank sessions do time out, I don't get a popup. The website logs me out to a session timed out page.If I suddenly started seeing session timed out popups I'd be pretty suspicious and not only not click em, but immediately run a virus and spyware scan.
Good info to know though, for sites that do use popups to inform you when your session timed out
Submitted by archangelx on Thu, 01/15/2009 - 5:10pm
Thank you, these guys are getting slicker all the time.
Submitted by Bill the clown on Thu, 01/15/2009 - 3:37pm
Thanks
Must Read Articles
Feature
Review
Feature
Feature
Feature
Most Popular Articles
This Month's Issue
FEATURE How to Get FREE Programs, Services, Software & MoreFEATURE Digital Photo Printer RoundupHOW TOBuild a 3D CameraFEATUREDIY Arcade PCWHITE PAPERHow TRIM Works
Technology News
Computer Cooling Fans
Computer Cases
PC Game Controllers
PC Games
Computer Hardware
Headphones
MP3 Players
Stream Video
Computer Mouse
Monitors
Motherboards
NAS Storage
Networking
Laptop Computers
DVD Burner
Digital Cameras
Portable Storage
Computer Accessories
Smartphone
Antivirus Software
Sound Cards
Speakers
Computer Systems
Thumb Drives
Video Cameras
Video Card Reviews
Water Cooling
Gadgets
- Keyboards
© 2009 Future US, Inc. All Rights Reserved.