Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Phishing 2.0: A vulnerability recently discovered by security company Trusteer would allow attackers to launch pop-ups matching those of a bank that a user is already logged in to, as shown above.

The core vulnerability discovered by the Israeli researchers is a Web browser flaw that lets the phisher see what other websites a person is visiting. Klein explains that a certain JavaScript function, commonly used by online retailers, financial institutions, and other sites, leaves a footprint revealing that the user is logged in to that site. Klein says that protections such as pop-up blockers wouldn’t necessarily derail the attack because the hacked site could itself be altered to seem like a request to log in again.

“I think it is great that we are trying to identify additional venues of phishing attacks such as this,” says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. “The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community,” he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: “Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits.”

Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.

5 comments. Share your thoughts »

Credits: Technology Review, Trusteer

Tagged: Computing, Web, security, web browser, phishing, online banking

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me