In-session phishing holds new potential for attack

Written by Dan Blacharski on January 14, 2009

Spam filtering software has gotten quite good at catching and eliminating many email-based phishing attacks. Traditionally, these emails disguise themselves so that they appear to be from a legitimate source, and trick the recipient into providing login details or account numbers.

But those bad guys that are engaged in the phishing business are always trying to stay one step ahead of the anti-phishing software, and like any good get-rich-quick schemer, will always have half a dozen new scams up their sleeves. The latest is called “in-session phishing”, which is an attempt to bypass the anti-spam software. This trick abandons the traditional email attack and replaces it with a pop-up window.

It works by attacking a legitimate web site and implanting code on it that generates an illegitimate pop-up when visitors go to the legitimate site. Using a JavaScript function, the attacker can determine whether or not users are logged into one of several banking web sites, and then if they are logged in, then the illegitimate pop-up would appear. Of course, like in an email phish, the pop-up is made to appear as though it comes from the legitimate source. The pop-up asks for identity information, which is then used, for example, to drain a bank account.

About Dan Blacharski

The corporate world unceremoniously booted Dan Blacharski out of his cubicle over 15 years ago, and he’s never looked back. Since that time, he has been a full-time professional freelance writer, public relations consultant and analyst, and has published six books and thousands of articles. He divides his time between South Bend, Indiana and Bangkok, and married the renowned Thai writer Charoenkwan Prakthong in 2005. He and his wife enjoy traveling the world, and spending time with their Boston Terrier, Pladook.