Wednesday, February 11, 2009

In-session Phishing

One of the first articles posted to Web Bytes Blog pertained to Internet Security and the fraudulent act of phishing. In this article phising attacks were perpetrated through emails. Today, again we revisit this topic but a far more sophisticated, stepped up feature of phishing, known as in-session phishing. As the name implies, the attack happens while the user is in an active session of banking or some similar tasks dealing with sensitive and confidential information. Because of this, the attack is more likely to succeed as the victim is already logged in to the secure site when a pop up window appears asking for them to login since the session has expired or some other form of engagement that could be typical of the site.

Today I read in PC World that there is a bug in the JavaScript engine used in many of the popular browsers was discovered by Amit Klein the CTO (Chief Technology Officer) of Trusteer (McMillan, 2009). Because of this article I decided to write this post and found other information to corroborate the PC World article. Another article on the same topic from Trusteer went a little further and mentioned the names of the browsers which are Internet Explorer, Firefox, Chrome, and Safari. This vulnerability in JavaScript allows a Web site to check whether users are logged in to another Web site via a footprint left by this code. Accordingly, quite a bit of online banking institutions, social networks, retailers and the like. According to the Trusteer research paper lists two conditions have to exist for this in-session attack to occur:

• The secure site have to be compromise and infected providing the mechanism to launch the attack
• The Malware must be able to identify which Web site the user is currently logged on to

In light of this, users need to be more diligent while taking care of sensitive and secure information and log out of secured sites when finished…do not leave the browser open while you navigate to other sites.

For complete information on how the scheme unfolds and to protect you, visit Trusteer’s Web site at the link below and read the research paper “In session Phishing Attacks”, the PC World article for March 2009 on page 12 and via the link below.

As always, submit your questions and comments and let’s have fun learning together.

Hruska, J (2009, January 13). New in-session phishing attack could fool experienced users. Retrieved February 11, 2009, from ARS Technica Web site:

McMillan, R (2009, March). Browser bugs could allow phishing without e-mail. PC World, 40.

(2008, December 29). In-session phishing attacks. Retrieved February 11, 2009, from In-session-phishing-advisory-2.pdf Web site:

No comments: