A thief wanting to make cash by stealing sensitive information online can break into the banking systems that store such data or grab it as it travels over an insecure connection. But these days, it’s much easier to go “phishing” instead–in other words, to convince unwary Internet users to hand over such information themselves. To do this, phishers typically design fake versions of real websites–like a bank or an online retailer–and lure unwitting Web surfers into entering their login data or credit-card details. A common ploy is to sucker them in with an e-mail that claims to come from a real bank but actually contains links to one of the phishers’ bogus sites.
Would-be victims are growing familiar with this basic phishing attack, however, and many e-mail and browser vendors have introduced countermeasures to protect them. So phishers are searching for new ways to sting the unwary, says Amit Klein, CTO of Trusteer, based in Tel Aviv, Israel. For example, the microblogging site Twitter is increasingly being used to distribute phishing links.
Nonetheless, Klein says that “the [basic] attack will not be as successful in the future as it has been up until now,” and in an effort to prevent future phishing attacks, his company is looking for better ways to con people out of cash before the bad guys can. A worrying new tactic being explored by some phishers, says Klein, involves hacking into a legitimate website in order to inject malicious code that throws up a pop-up window requesting individuals’ usernames and passwords for a banking site. This approach is of limited value, however, since most users will be suspicious of the sudden request.
A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for “in-session phishing” and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.