Trusteer has identified a new phishing attack method designed to trick users into surrendering confidential information after they have logged on to an online banking, brokerage, or other sensitive web site. The technique, dubbed In Session Phishing, can be used to inject into all major browsers legitimate looking Pop Up messages that request passwords, account numbers, etc., on behalf of the trusted website.
This next generation Phishing method, as well as techniques that can be used to protect against it, are explained in a free security advisory written by noted security researcher and Trusteer CTO Amit Klein.
A typical In Session Phishing attack would occur as follows. A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites. A short time later a popup appears, allegedly from the banking website, requesting the user retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.
In order for In-Session Phishing attacks to succeed the following conditions are required:
1. A base website must be compromised from which the attack can be launched.
2. The malware (injected on the compromised website) must be able to identify which website the victim user is currently logged on to.
The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. The second condition, identifying which website a user is currently logged onto is harder to achieve, but not impossible. A variety of techniques are available and documented for accomplishing this task. For more details see the Trusteer security advisory on In Session Phishing.