Phishing without bait: The in-session password theft attack

Phishing without bait: The in-session password theft attack

Summary: Skilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.According to a security advisory from Trusteer, hackers can launch what is described as "in-session phishing attacks" using pop-up messages during an active browser session.


In-session password theft attacksSkilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what is described as "in-session phishing attacks" using pop-up messages during an active browser session.   The attack technique is somewhat sophisticated -- it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into -- in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought.

Here's how it works:

  1. A user logs onto their online banking application. Leaving this browser window open, the user then navigates to other Web sites.
  2. A short time later a pop-up box appears, allegedly from the banking website, requesting the user re-type their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.
  3. Since the user had recently logged onto the banking website, he/she will likely not suspect this pop-up is fraudulent and thus provide the requested details.

To mount a successful in-session phishing attack, a base Web site must be compromised (check!), the malware injected onto the hijacked Web site must be able to identify the site the user is logged into (not trivial but very possible).

Trusteer has issued a research paper (.pdf) that calls attention to a vulnerability in the JavaScript engine of all leading browsers -- Internet Explorer, Firefox, Safari, and Chrome -- which  allows a Web site to check whether a user is currently logged onto another website.

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

It explains how a skilled attacker can program a compromised website needs to maintain a list of sites it wants to check.

There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: “is the user currently logged onto this specific website?” and the browser will answer “yes” or “no”. Once the compromised website identifies a website to which the user is logged on, it can inject a pop up message in the browser pretending to be from the legitimate website and asking for credentials and private information.

To protect themselves from in-session phishing attacks, Trusteer recommends that users:

  1. Deploy Web browser security tools.
  2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites.
  3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

* Image source: ToastyKen's Flickr photostream (Creative Commons 2.0)

Topics: Software Development, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Might not work with many banking sites...

    ...because most of them log you out with just a minute or two of least the ones I use do.
    • True

      But that minute or two could be all it takes for the attack to place which is why it is important to be constantly vigilant.
      • Stop paying your porn with your bank account.

        Most of these phishers are hiding in porn and other "bad" sites since people don't report their whereabouts if they do get "screwed" from these websites.
        Don't view these site while doing your financial business or other financial transactions so they don't pop up unrelated messages for you to click and send them you personal data.
        • Not Good Enough!

          You also need to update your virus/malware scanners signatures and run a complete scan of both after getting off the porn site before opening the banking site.

          I would even insist on doing the same when getting off any of the many other virus-vector sites, suchas those for free anime downloads, P2P sites...
        • Look likes the balance has shifted towards the legit sites...

          ...according to one of the links in this blog which says:

          "In a security report entitled A comparative look at the state of web security, May 2007-May 2008, released on Thursday, ScanSafe found 68 percent of all internet-based malware was now being hosted on legitimate sites."

          So checking your bank balance & then heading over to here (ZDNet) could theoretically put you @ risk.
          • Multiple open tabs

            Do not open a tab for a sensitive site (like your bank) with other tabs open. It's just one more thing that makes it easier for the criminals.
      • Not a big issue

        Because most banking websites specifically say that they log you out WITHOUT a pop-up, so only the most ignorant will fall for this scam.
  • Any info ????

    Any info on how to mask/erase/disable this Java function? Sounds like our web browsers are designed to give out TOO much information TOO easily to anybody. Is this a "feature" like the "easy open" pad locks?
    • The relationship between levels of risk seem to be constant.

      Browser settings seem to have no impact on Phishing."ZDnet" should grade the browsers through their capital design engineering; no winner.
      • But is this even Really True?

        I don't think so. Remember Ryan referred to "Browser Security Tools".

        Unfortunately, he didn't give a list, but I think he means:

        1) anti-virus
        2) anti-spam (both preferably actively scanning)
        3) Noscript under Mozilla (which other browser even has this ability?)

        I don't see how the attack could work if you have these three, and keep only one browser window open while banking. After all: Noscript will not allow any other scripts to run, except from the site you are connected to, unless you make an unfortunate change to the configuration.
        • Well if it works as described in the blog, then yes..

          ...because NoScript allows scripts to run if you allow the site, for example if you allow JS to run on ZDNet. If ZDNet is compromised then the JS will run.

          So as you say the only way round it is to only have one browser tab or window open to do banking. Then you would have to log out afterwards or leave it till it auto logs out before doing anything else.
    • I agree.

      Any information that the website is going to ask the browser is going to ask me first. But I'll be completly vigilant and log out immediately when I'm done. I'll even flush out the browser cache to make sure there aren't any temporary Internet files left in my hard drive, including tracking cookies.

      But I do want to have important cookies for remembering my banking credentials and a lot of websites that have message boards (, Novell's OpenSUSE forum, etc.).
      Grayson Peddie
      • The Agreement Chain

        Besides doing what you do, I have two other practices. Who
        knows if this helps reduce risk, but I never allow the important
        web sites to "remember" me. I also visit those sites in a different
        browser than my look at news sites one. Of course, my daily
        account is not administrative.

        I guess the next step would be to have a virtual system dedicated
        to hosting interactions with secure web sites.
  • What's up with the Coat-Hanger?

    I see the graphic that there is some guy about ready to swallow a coat-hanger that he himself is holding up.

    What's up with this?

    Can't you guys find a real fishing hook... I know, I know, you don't have one in the office lying around.

    Anyway, grood article. I hope that those who don't already practice safe browsing, take note.
  • I always use a seperate instance of Firefox

    Not a new Window, a complete separate instance with it's own cache, cookies and memory allocation. And I never surf anywhere else while I'm doing my banking, and i always clear private data at the begining and end of the session.

    This is how I do it on Linux

    /usr/bin/firefox3 -ProfileManager -no-remote

    It's fairly similar on Windows C:\Program Files\Firefox\firefox3 -ProfileManager -no-remote

    should be about right.
    tracy anne
  • RE: Phishing without bait: The in-session password theft attack

    I stumbled upon this site that is an educational tool for consumers to protect ourselves against digital theft. Check it out:
    Andrew Merrick
  • RE: Phishing without bait: The in-session password theft attack

    Great!!! thanks for sharing this information to us!
    <a href="">seslisohbet</a> <a href="">seslichat</a>