Feeds

Pop-up phishing risk points to web fraud evolution

Taking the spam out of e-banking scams

5 things you didn’t know about cloud backup

Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn't able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.

In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.

Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user's bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.

The method would be drawn into play once a user has logged into an online banking, brokerage, or other secure web application, Trusteer explains.

"'In-session' attacks are more likely to succeed since they occur after a user has logged onto a banking or other secure website," explained Amit Klein, CTO of Trusteer. "Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications."

Miscreants hoping to mount an attack based on the approach face two potential stumbling blocks. First, they have to find an e-commerce or banking website open to compromise. Such attacks occur all the time and so don't really represent a serious obstacle for more skilled hackers. The second condition for a successful attack poses an altogether tougher nut to crack, however.

In order for the attack to succeed, malware injected onto a compromised website needs to identify which website the prospective mark is currently logged onto. Trusteer reckons the fraudulent pop-up boxes generated via the attack would be most plausibly generated when a surfer navigates to another site, leaving a secure session running at the same time.

Trusteer explains the attack in greater depth, together with tips for web users in avoiding compromise, in an advisory here (PDF). ®

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.