In-Session Phishing Attack

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

• You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
• You log onto your normal internet banking site
• The malicious code on the other site detects that you’ve logged into internet banking
• the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
• The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

• When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
• If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.

• Does it look the same as your normal login screen?
• Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
• Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.

The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

Below is a press release from a banking security company offering more information on this type of attack.

http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

Comments

• About

  Read the latest articles shown on the left, and use the options below to search for past articles. FraudO.com is committed to educating all users on the dangers of the internet and how to avoid them.

• Email Subscription

  Enter your email address:

  Delivered by FeedBurner

• Ads

  • Anastasia International Scam

• Recently Written

  • Another Scam Job
  • ICS Monitoring Team
  • Facebook Groups And Toolbars
  • An Interview with a Nigerian Internet Scammer
  • Fake CUA Email
  • Microsoft Does Not Send Updates By Email
  • Texaco Money Mule Scam
  • Facebook Un Named App
  • Avast 5
  • ATM Card Skimmers
  • Common Passwords
  • Fake ATO Emails
  • TwitterBuilding
  • IE6
  • BlackBerry Hoax Message

• Categories

  • Admin
  • Antivirus
  • Backups
  • Fraud
  • General
  • hoax
  • Identity Theft
  • Malware
  • News/Media
  • Phishing
  • Privacy
  • Scams
  • Security
  • Software
  • Statistics
  • Uncategorized

• Archived Articles

  Select Month March 2010  (2) February 2010  (5) January 2010  (11) December 2009  (1) November 2009  (2) October 2009  (4) September 2009  (10) August 2009  (9) July 2009  (7) June 2009  (20) May 2009  (15) April 2009  (12) March 2009  (10) February 2009  (14) January 2009  (10) December 2008  (10) November 2008  (3) October 2008  (7) September 2008  (5) August 2008  (11) July 2008  (17) June 2008  (8) May 2008  (17) April 2008  (23) March 2008  (22) February 2008  (20) January 2008  (31) December 2007  (17) November 2007  (21) October 2007  (11) September 2007  (5)

• Ads

• Affiliates

• Spam Blocked

  30,775 spam comments

  blocked by
  Akismet

• Stats