iTnews

New phishing ploy exploits secure sessions to hijack data

By Dan Kaplan on Jan 14, 2009 10:49AM

Researchers have discovered a new way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website.

Researchers have discovered a new way for attackers to phish for credentials without the need to send emails or trick users into visiting a malicious website.

Dubbed "in-session" phishing by web security firm Trusteer, the conceptualised attack leverages a vulnerability present in all major browsers that allows attackers to learn if a user is logged into a banking site.

All criminals need to do is compromise a legitimate website with malicious JavaScript and wait for people to surf there, said Trusteer CTO Amit Klein. When users visit that site, the malcode will leverage a vulnerability in the way a certain function is implemented in popular browsers, he told SC MagazineUS.com.

If one page in a bank's website uses this function -- which is not that uncommon -- then it is possible to observe whether a particular user is simultaneously signed into that site Klein said.

Then, through the legitimate site that they already have compromised, the malicious individuals can display a pop-up box that appears to be coming from the bank, informing users they must re-enter their banking credentials.

"Instead of pushing these scams through emails, fraudsters found it more effective to capture the users when they browse to legitimate sites," Klein said. "So they are less suspicious of anything extraordinary on one hand, and email filters are simply out of the equation at the same time."

Internet Explorer, Mozilla Firefox, Safari and Google Chrome all are vulnerable, he said. Trusteer has notified the browser manufacturers about the flaw.

Avivah Litan, vice president and distinguished analyst at Gartner, said the Trusteer proof-of-concept is quite plausible and she has seen similar attack scenarios elsewhere.

"I think anyone that underestimates phishing attacks is making a big mistake because phishing is being combined with malware that renders most traditional secure controls useless, such as SSL, HTTPS or strong authentication," she said.

Banks must respond by implementing stronger fraud detection solutions that can pick up abnormal behavior to stop live attacks, Litan said.

Klein suggests users deploy web browser security tools and ensure they are logged out of their banking sites once they have finished there.

See original article on scmagazineus.com
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
data exploits hijack insession phishing scam secure security sessions

Partner Content

Shut the door on ransomware
Promoted Content Shut the door on ransomware
Preventing cybercrime in the world of forex trading
Promoted Content Preventing cybercrime in the world of forex trading
Beat the DDoS blackmails in 2021
Promoted Content Beat the DDoS blackmails in 2021
Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus
Promoted Content Setting a path to self-funded mainframe-to-cloud modernisation with Micro Focus

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • [iTnews and Micro Focus] Navigating the cloud modernisation minefield
By Dan Kaplan
Jan 14 2009
10:49AM
0 Comments

Related Articles

  • 86 400 looks to strengthen customer sign-up process
  • RMIT cancels classes after IT outage
  • ATO to keep JobMaker businesses honest with data matching
  • Oxfam Australia investigates suspected data breach
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

TPG Telecom to start enticing NBN customers to move

TPG Telecom to start enticing NBN customers to move

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build

Telstra InfraCo opens up telco's own fibre network

Telstra InfraCo opens up telco's own fibre network

Transport for NSW data stolen in Accellion breach

Transport for NSW data stolen in Accellion breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.