A thief wanting to make cash by stealing sensitive information online can break into the banking systems that store such data or grab it as it travels over an insecure connection. But these days, it’s much easier to go “phishing” instead–in other words, to convince unwary Internet users to hand over such information themselves. To do this, phishers typically design fake versions of real websites–like a bank or an online retailer–and lure unwitting Web surfers into entering their login data or credit-card details. A common ploy is to sucker them in with an e-mail that claims to come from a real bank but actually contains links to one of the phishers’ bogus sites.
Would-be victims are growing familiar with this basic phishing attack, however, and many e-mail and browser vendors have introduced countermeasures to protect them. So phishers are searching for new ways to sting the unwary, says Amit Klein, CTO of Trusteer, based in Tel Aviv, Israel. For example, the microblogging site Twitter is increasingly being used to distribute phishing links.
Nonetheless, Klein says that “the [basic] attack will not be as successful in the future as it has been up until now,” and in an effort to prevent future phishing attacks, his company is looking for better ways to con people out of cash before the bad guys can. A worrying new tactic being explored by some phishers, says Klein, involves hacking into a legitimate website in order to inject malicious code that throws up a pop-up window requesting individuals’ usernames and passwords for a banking site. This approach is of limited value, however, since most users will be suspicious of the sudden request.
A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for “in-session phishing” and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.
“I think it is great that we are trying to identify additional venues of phishing attacks such as this,” says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. “The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community,” he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: “Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits.”
Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.
Why China is still obsessed with disinfecting everything
Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.
These materials were meant to revolutionize the solar industry. Why hasn’t it happened?
Perovskites are promising, but real-world conditions have held them back.
Crypto is weathering a bitter storm. Some still hold on for dear life.
When a cryptocurrency’s value is theoretical, what happens if people quit believing?
Anti-aging drugs are being tested as a way to treat covid
Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.