Kelly Jackson Higgins
Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking online -- sending phony popup messages pretending to be from their banks.
The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a popup that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.
Amit Klein, CTO of Trusteer, says although he and his research team have not spotted full-blown attacks like this in the wild as yet, they have witnessed precursors to it. The attack goes like this: The phisher injects legitimate Websites with malicious JavaScript so that when an online banking customer visits one of those sites while banking online, he gets targeted. The malware exploits weaknesses in the browser that lets the attacker "see" the banking site URL where the victim is logged in, and then the phisher automatically generates a popup posing as that bank. If the user falls for the popup lure and enters his banking credentials, the phisher then gets those credentials.
"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."
The popup message could take other forms, such as a customer satisfaction survey from the bank or a special promotion, according to the researchers -- anything that could dupe the user into handing over credentials.
Klein says placing a low-profile piece of malicious JavaScript on a high-profile Website isn't difficult to do, and the malware is basically invisible to the user. "Once the JavaScript is rendered, it does the job...and sees where you are logged in," he says. And the attack is possible without the attacker accessing the actual bank site at all, he notes.
The malware on the Website doesn't get downloaded to the victim's machine, so it's tougher to detect, according to Trusteer. And Internet Explorer, Firefox, Safari, and Chrome all contain a JavaScript vulnerability that lets a Website check if a user is currently logged onto another Website, leaving a temporary "footprint" that lets the attacker trace that site, including a bank.
For in-session phishing to be successful, the attacker has to maintain a list of bank Websites it will look for, and then it can send the phony popup to the victim.
No comments:
Post a Comment