Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/13/2009
12:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Phishing Attack Targets Online Banking Sessions With Phony Popups

'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials

Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking online -- sending phony popup messages pretending to be from their banks.

The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a popup that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.

Amit Klein, CTO of Trusteer, says although he and his research team have not spotted full-blown attacks like this in the wild as yet, they have witnessed precursors to it. The attack goes like this: The phisher injects legitimate Websites with malicious JavaScript so that when an online banking customer visits one of those sites while banking online, he gets targeted. The malware exploits weaknesses in the browser that lets the attacker "see" the banking site URL where the victim is logged in, and then the phisher automatically generates a popup posing as that bank. If the user falls for the popup lure and enters his banking credentials, the phisher then gets those credentials.

"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."

The popup message could take other forms, such as a customer satisfaction survey from the bank or a special promotion, according to the researchers -- anything that could dupe the user into handing over credentials.

Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user. "Once the JavaScript is rendered, it does the job...and sees where you are logged in," he says. And the attack is possible without the attacker accessing the actual bank site at all, he notes.

The malware on the Website doesn't get downloaded to the victim's machine, so it's tougher to detect, according to Trusteer. And Internet Explorer, Firefox, Safari, and Chrome all contain a JavaScript vulnerability that lets a Website check if a user is currently logged onto another Website, leaving a temporary "footprint" that lets the attacker trace that site, including a bank.

For in-session phishing to be successful, the attacker has to maintain a list of bank Websites it will look for, and then it can send the phony popup to the victim.

Jeremiah Grossman, CTO and founder of WhiteHat Security, says the attack would be fairly simple to pull off. "There is no shortage of hacked Websites to piggyback on. And you'd probably use this method if you really don't want to be detected since there is no traditional malware as part of the attack," Grossman says. "You are just stealing some information from the browsers session and customizing a new page based upon it."

Grossman, who, along with Robert "RSnake" Hansen, had previously researched detecting users online, says the fact that there is no malware infecting the machine itself makes the in-session phishing attack especially dangerous. It would be difficult for antimalware tools to detect, he notes.

This new attack isn't as effective as traditional spear phishing, however, notes Joshua Perrymon, CEO of PacketFocus. "This just adds more timing and complexity to the attack. It also depends on the user clicking on the first link," Perrymon says.

Trusteer offered a few tips for users to protect themselves from an in-session phishing attack: deploy browser security tools; log out of banking and other sensitive online apps and accounts before going to other Websites; and be suspicious of any popups during a Web session if you haven't clicked on a hyperlink.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18980
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
CVE-2019-17391
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
CVE-2019-18651
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
CVE-2019-18978
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
CVE-2019-14678
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...