Feeds

Pop-up phishing risk points to web fraud evolution

Taking the spam out of e-banking scams

Choosing a cloud hosting partner with confidence

Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn't able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.

In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.

Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user's bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.

The method would be drawn into play once a user has logged into an online banking, brokerage, or other secure web application, Trusteer explains.

"'In-session' attacks are more likely to succeed since they occur after a user has logged onto a banking or other secure website," explained Amit Klein, CTO of Trusteer. "Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications."

Miscreants hoping to mount an attack based on the approach face two potential stumbling blocks. First, they have to find an e-commerce or banking website open to compromise. Such attacks occur all the time and so don't really represent a serious obstacle for more skilled hackers. The second condition for a successful attack poses an altogether tougher nut to crack, however.

In order for the attack to succeed, malware injected onto a compromised website needs to identify which website the prospective mark is currently logged onto. Trusteer reckons the fraudulent pop-up boxes generated via the attack would be most plausibly generated when a surfer navigates to another site, leaving a secure session running at the same time.

Trusteer explains the attack in greater depth, together with tips for web users in avoiding compromise, in an advisory here (PDF). ®

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Website security in corporate America
Find out how you rank among other IT managers testing your website's vulnerabilities.