Technology Review
A Web browser loophole could make it easier for crooks to scam the unwary.
A thief wanting to make cash by stealing sensitive information online can break into the banking systems that store such data or grab it as it travels over an insecure connection. But these days, it's much easier to go "phishing" instead--in other words, to convince unwary Internet users to hand over such information themselves. To do this, phishers typically design fake versions of real websites--like a bank or an online retailer--and lure unwitting Web surfers into entering their login data or credit-card details. A common ploy is to sucker them in with an e-mail that claims to come from a real bank but actually contains links to one of the phishers' bogus sites.
Would-be victims are growing familiar with this basic phishing attack, however, and many e-mail and browser vendors have introduced countermeasures to protect them. So phishers are searching for new ways to sting the unwary, says Amit Klein, CTO of Trusteer, based in Tel Aviv, Israel. For example, the microblogging site Twitter is increasingly being used to distribute phishing links.
Nonetheless, Klein says that "the [basic] attack will not be as successful in the future as it has been up until now," and in an effort to prevent future phishing attacks, his company is looking for better ways to con people out of cash before the bad guys can. A worrying new tactic being explored by some phishers, says Klein, involves hacking into a legitimate website in order to inject malicious code that throws up a pop-up window requesting individuals' usernames and passwords for a banking site. This approach is of limited value, however, since most users will be suspicious of the sudden request.
A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for "in-session phishing" and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.
A new approach does away with the need for long strings of letters and numbers.
Researchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.
A new technique lets hackers targeting Apple's OS X cover their tracks more effectively.
The article indicates this a new form of phishing, but if it requires the hacker to inject javascript into an existing site, then the site is alreayd vulernable to all kinds of attack.. the least of which is a pop up that acts people to login again. You could simply hijack their session--and the user wouldnt even know...
Perhaps a little more specifics (*without revealing the hack) would help here.
I think the javascript doesn't need to be injected into the BANKING site. So the phisher hacks into and corrupts some other, non-banking, less-protected site that the user just happens to have open while he is doing online banking. The "hacked" site might even belong to the phisher.
That's exactly it, dmm. Thanks for giving the explanation.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
arnetwork
85 Comments
new form of phishing
The article outlines a new more sophisticated form of phishing involving using an open hijacked web site injecting a phishing attack into an open online banking page display.
For the last couple of years I make it a matter of course to close all browsers, clear all personal data from the browser cache, open a pristine browser with only the banking tab open and then close and clear the browser when finished. I do this to prevent exactly this kind of attack.
It may not guarantee perfect security but it does help.
Reply