A thief wanting to make cash by stealing sensitive information online can break into the banking systems that store such data or grab it as it travels over an insecure connection. But these days, it’s much easier to go “phishing” instead–in other words, to convince unwary Internet users to hand over such information themselves. To do this, phishers typically design fake versions of real websites–like a bank or an online retailer–and lure unwitting Web surfers into entering their login data or credit-card details. A common ploy is to sucker them in with an e-mail that claims to come from a real bank but actually contains links to one of the phishers’ bogus sites.
Would-be victims are growing familiar with this basic phishing attack, however, and many e-mail and browser vendors have introduced countermeasures to protect them. So phishers are searching for new ways to sting the unwary, says Amit Klein, CTO of Trusteer, based in Tel Aviv, Israel. For example, the microblogging site Twitter is increasingly being used to distribute phishing links.
Nonetheless, Klein says that “the [basic] attack will not be as successful in the future as it has been up until now,” and in an effort to prevent future phishing attacks, his company is looking for better ways to con people out of cash before the bad guys can. A worrying new tactic being explored by some phishers, says Klein, involves hacking into a legitimate website in order to inject malicious code that throws up a pop-up window requesting individuals’ usernames and passwords for a banking site. This approach is of limited value, however, since most users will be suspicious of the sudden request.
A vulnerability in major browsers recently discovered by Trusteer could make this trick much more dangerous, by allowing for “in-session phishing” and a more tailored attack. Using this new vulnerability, a phisher could detect, via the hacked site, when a user was already logged in to a banking website. The hacked site could then launch a pop-up warning the user that her session has timed out and asking her to reenter her login details. This approach would be less likely to raise a red flag, says Klein, since the pop-up does not appear completely out of the blue.
“I think it is great that we are trying to identify additional venues of phishing attacks such as this,” says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. “The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community,” he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: “Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits.”
Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.