(Page 2 of 2)
Phishing 2.0: A vulnerability recently discovered by security company Trusteer would allow attackers to launch pop-ups matching those of a bank that a user is already logged in to, as shown above.
Trusteer
The core vulnerability discovered by the Israeli researchers is a Web browser flaw that lets the phisher see what other websites a person is visiting. Klein explains that a certain JavaScript function, commonly used by online retailers, financial institutions, and other sites, leaves a footprint revealing that the user is logged in to that site. Klein says that protections such as pop-up blockers wouldn't necessarily derail the attack because the hacked site could itself be altered to seem like a request to log in again.
"I think it is great that we are trying to identify additional venues of phishing attacks such as this," says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. "The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community," he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: "Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits."
Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.
A new approach does away with the need for long strings of letters and numbers.
Researchers are monitoring a trick that makes it harder to track and shut down fraudulent websites.
A new technique lets hackers targeting Apple's OS X cover their tracks more effectively.
The article indicates this a new form of phishing, but if it requires the hacker to inject javascript into an existing site, then the site is alreayd vulernable to all kinds of attack.. the least of which is a pop up that acts people to login again. You could simply hijack their session--and the user wouldnt even know...
Perhaps a little more specifics (*without revealing the hack) would help here.
I think the javascript doesn't need to be injected into the BANKING site. So the phisher hacks into and corrupts some other, non-banking, less-protected site that the user just happens to have open while he is doing online banking. The "hacked" site might even belong to the phisher.
That's exactly it, dmm. Thanks for giving the explanation.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
arnetwork
85 Comments
new form of phishing
The article outlines a new more sophisticated form of phishing involving using an open hijacked web site injecting a phishing attack into an open online banking page display.
For the last couple of years I make it a matter of course to close all browsers, clear all personal data from the browser cache, open a pristine browser with only the banking tab open and then close and clear the browser when finished. I do this to prevent exactly this kind of attack.
It may not guarantee perfect security but it does help.
Reply