According to a security advisory from Trusteer, hackers can launch what is described as "in-session phishing attacks" using pop-up messages during an active browser session. The attack technique is somewhat sophisticated -- it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into -- in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought.
Here's how it works:
- A user logs onto their online banking application. Leaving this browser window open, the user then navigates to other Web sites.
- A short time later a pop-up box appears, allegedly from the banking website, requesting the user re-type their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.
- Since the user had recently logged onto the banking website, he/she will likely not suspect this pop-up is fraudulent and thus provide the requested details.
To mount a successful in-session phishing attack, a base Web site must be compromised (check!), the malware injected onto the hijacked Web site must be able to identify the site the user is logged into (not trivial but very possible).
It explains how a skilled attacker can program a compromised website needs to maintain a list of sites it wants to check.
There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: “is the user currently logged onto this specific website?” and the browser will answer “yes” or “no”. Once the compromised website identifies a website to which the user is logged on, it can inject a pop up message in the browser pretending to be from the legitimate website and asking for credentials and private information.
To protect themselves from in-session phishing attacks, Trusteer recommends that users:
- Deploy Web browser security tools.
- Always log out of banking and other sensitive online applications and accounts before navigating to other websites.
- Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.
* Image source: ToastyKen's Flickr photostream (Creative Commons 2.0)