Feeds

Pop-up phishing risk points to web fraud evolution

Taking the spam out of e-banking scams

Protecting against web application threats using SSL

Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn't able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.

In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.

Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user's bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.

The method would be drawn into play once a user has logged into an online banking, brokerage, or other secure web application, Trusteer explains.

"'In-session' attacks are more likely to succeed since they occur after a user has logged onto a banking or other secure website," explained Amit Klein, CTO of Trusteer. "Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications."

Miscreants hoping to mount an attack based on the approach face two potential stumbling blocks. First, they have to find an e-commerce or banking website open to compromise. Such attacks occur all the time and so don't really represent a serious obstacle for more skilled hackers. The second condition for a successful attack poses an altogether tougher nut to crack, however.

In order for the attack to succeed, malware injected onto a compromised website needs to identify which website the prospective mark is currently logged onto. Trusteer reckons the fraudulent pop-up boxes generated via the attack would be most plausibly generated when a surfer navigates to another site, leaving a secure session running at the same time.

Trusteer explains the attack in greater depth, together with tips for web users in avoiding compromise, in an advisory here (PDF). ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.