In-Session Phishing Attack

A new way of stealing internet banking passwords has been discovered. Here’s how a victim would see it:

  • You’re reading a few web pages on the internet. One of them is infected with some malicious code – you don’t know.
  • You log onto your normal internet banking site
  • The malicious code on the other site detects that you’ve logged into internet banking
  • the malicious code bring up a window asking you to type in your internet banking password again, giving you some excuse as to why you have to log in again
  • The malicious code sends your password to a 3rd party who uses it or sells it to someone who will

How can this happen?

I won’t go into the technical explanation, suffice it to say that most browsers will trust and run code under certain conditions, and hackers have discovered how to exploit those conditions.

It works because it knows what banks to look for and won’t do anything until you log into your internet banking. So to a casual person it sounds plausible that they need your password again.

What can be done to prevent this?

  • When you use internet banking close all the other tabs you might have open. Just keep the internet banking page open by itself.
  • If you get a popup window to enter your password again you need to decide if the popup window is really from your bank.
  • Does it look the same as your normal login screen?
  • Is there a good reason why you have to enter your details again? (e.g. if you don’t use the internet banking page for 10 minutes it might time out, but otherwise it shouldn’t have timed out)
  • Does it have the SSL icon? This is often a padlock icon on the top right corner, if you click on it it should identify your bank.
  • Use a good antivirus package that scans web pages. This isn’t 100% reliable but it’s will protect you from most malicious sites.
  • A more extreme measure is to walk into your bank’s branch and use their computers to do internet banking. This is ok, it’s just very inconvenient.
  • This is also a good time to remind you not to do internet banking from public computers, such as an internet cafe, a public library, etc. You need to trust the computer you’re working on.

    • The makers of web browsers (Microsoft, Mozilla, Google, etc) need to address this issue. When they do it’s up to you to update your browser to the latest version. Then this particular problem will go away.

    Below is a press release from a banking security company offering more information on this type of attack.

    http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf

    Leave a Reply

    Your email address will not be published. Required fields are marked *