Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

In-session phishing attacks

Graham Titterington | Jan. 21, 2009
Fraudsters look for more effective ways of stealing personal credentials from online users of secure sites

A new phishing tactic has emerged, called in-session phishing, as fraudsters look for more effective ways of stealing personal credentials from online users of secure sites such as online banking and social networking. It shows that fraudsters remain resourceful as they react to improved defences. Organisations need to update their warnings to customers and other users, but the task of educating non-expert users gets more difficult and defensive technology must be improved.

Users must be warned of the dangers, but not alarmed

This form of attack uses sites that the victim is currently logged in to, and so the user is not inclined to doubt the authenticity of the messages. Conventional warnings about ignoring unsolicited emails are irrelevant. Users have to be warned about unexpected pop-up windows, even when they appear to be authentic and relevant to the task in hand. As phishing gets ever more ingenious we are approaching a state where we tell users to ignore anything that appears to be unfamiliar. It is going to be hard to instill this level of suspicion without destroying confidence in online processes. In this case, practical advice for users might include logging out of these sites whenever they have an idle period, but this is clearly inefficient if the log-in dialogue is complex.

Trusteer, an Internet security company focusing on protecting online financial services, has reported on a new variant of phishing attack in which the attacker asks a user of a secure Internet site such as an online banking site to re-authenticate themselves after they have not interacted with the site for a few minutes. The hacker opens a pop-up window on the victims machine saying that the session has timed out, or that they are being asked to participate in a survey or promotion, and that they should click on a link in the window to re-enter their credentials. The problem is that the link takes them to a site controlled by the hacker and their information is stolen. The attack is more credible than conventional hacking strategies that are based on mass emailing campaigns because people are learning not to respond to unsolicited emails purporting to come from banks. It does not seem strange to be asked to re-authenticate to a site after a period of inactivity. As with all serious fraudulent activity, the screens are made to look like those of the legitimate organisation.

The attack requires malware to be downloaded onto the victims computer to detect when the user is logged in to a secure site, and to decide when to launch the pop-up window. It then communicates with the hacker site to launch the attack. This malware is delivered when the user visits an infected website, of which there are about 2 million at any time. The malware uses a vulnerability in the JavaScript of all leading browsers that allows a website to check if a user is currently logged in to another website.


1  2  Next Page 

Sign up for Computerworld eNewsletters.