Print
So, you've decided to log into your bank's website to figure out if you can afford the newest techno-bling shown at CES. Your bank gives you the nod, and you open up another browser tab (or window) to cruise over to your favorite tech reseller. After doing a few price and stock checks, a pop-up window appears: your bank session has timed out - and if you want to double-check your available credit or account balance, you need to log in again. Should you click and go?
If you shrug and say "sure," you'd probably be infected by the latest phishing method. As reported by ArsTechnica, "in-session" phishing doesn't use traditional methods such as fake emails or fake websites to do its dirty work. Instead, in-session phishing is the next step in exploiting legitimate sites that are infected by malware. This time, infected websites exploit a JavaScript flaw found in all popular browsers.
According to the security firm Trusteer (PDF), in-session phishing works this way:
The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.
This flaw (described by Trusteer in a deliberately vague way to avoid helping the bad guys), when combined with a legitimate website that's been infected, enables the infected website to spawn a pop-up that looks as if it's coming from the site you originally logged into. To make matters worse, Trusteer also says that the pop-up could also be something even more innocuous, such as an online survey or a mini-Flash game, instead of a prompt to log back in.
How big a threat is in-session phishing? The malware works if, and only if, you are logged into a legitimate site at the same time you access an infected site that is running malware configured to attack the site you're logged into. However, it could be significant - especially because it is launched while you're logged into legitimate websites. Until banks, e-commerce, and social-networking sites get around to warning users to avoid pop-up "relogins," protect yourself by logging off secure websites as soon as you've finished your business. If you really want to see your credit balance while you're shopping online, do it the old-fashioned way: make a printout, or save a tree and create a PDF file. Stay safe out there!
Links:
[1] http://www.maximumpc.com/user/marcus_soperus
[2] http://arstechnica.com/news.ars/post/20090113-new-method-of-phishmongering-could-fool-experienced-users.html
[3] ://www.maximumpc.com/article/news/most_malware_served_up_legit_websites_that_have_been_compromised
[4] http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf
[5] http://www.maximumpc.com/article/news/most_malware_served_up_legit_websites_that_have_been_compromised
[6] http://www.maximumpc.com/article/news/javascript_vulnerability_gives_a_whole_new_meaning_get_adobe_reader
[7] http://www.maximumpc.com/article/news/malware_miscreants_selling_trojan_guaranteed_evade_detection
[8] http://www.maximumpc.com/tags/ecommerce
[9] http://www.maximumpc.com/tags/exploit
[10] http://www.maximumpc.com/tags/javascript
[11] http://www.maximumpc.com/tags/malware
[12] http://www.maximumpc.com/tags/phishing
[13] http://www.maximumpc.com/tags/security
[14] http://www.maximumpc.com/tags/web_browser
[15] http://www.maximumpc.com/articles/news/windows
[16] http://www.maximumpc.com/articles/news
[17] http://www.maximumpc.com/user/login?&commentfragment=comments_top_anchor