Feeds

Pop-up phishing risk points to web fraud evolution

Taking the spam out of e-banking scams

SANS - Survey on application security programs

Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn't able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.

In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.

Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user's bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.

The method would be drawn into play once a user has logged into an online banking, brokerage, or other secure web application, Trusteer explains.

"'In-session' attacks are more likely to succeed since they occur after a user has logged onto a banking or other secure website," explained Amit Klein, CTO of Trusteer. "Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications."

Miscreants hoping to mount an attack based on the approach face two potential stumbling blocks. First, they have to find an e-commerce or banking website open to compromise. Such attacks occur all the time and so don't really represent a serious obstacle for more skilled hackers. The second condition for a successful attack poses an altogether tougher nut to crack, however.

In order for the attack to succeed, malware injected onto a compromised website needs to identify which website the prospective mark is currently logged onto. Trusteer reckons the fraudulent pop-up boxes generated via the attack would be most plausibly generated when a surfer navigates to another site, leaving a secure session running at the same time.

Trusteer explains the attack in greater depth, together with tips for web users in avoiding compromise, in an advisory here (PDF). ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.