In-session phishing holds new potential for attack

Written by Jesmond Darmanin on January 14, 2009

Spam filtering software has gotten quite good at catching and eliminating many email-based phishing attacks. Traditionally, these emails disguise themselves so that they appear to be from a legitimate source, and trick the recipient into providing login details or account numbers.

But those bad guys that are engaged in the phishing business are always trying to stay one step ahead of the anti-phishing software, and like any good get-rich-quick schemer, will always have half a dozen new scams up their sleeves. The latest is called “in-session phishing”, which is an attempt to bypass the anti-spam software. This trick abandons the traditional email attack and replaces it with a pop-up window.

It works by attacking a legitimate web site and implanting code on it that generates an illegitimate pop-up when visitors go to the legitimate site. Using a JavaScript function, the attacker can determine whether or not users are logged into one of several banking web sites, and then if they are logged in, then the illegitimate pop-up would appear. Of course, like in an email phish, the pop-up is made to appear as though it comes from the legitimate source. The pop-up asks for identity information, which is then used, for example, to drain a bank account.

  • (required)
  • (required)