On the heels of the phishing attacks on Twitter and Digg, where all that immediately seemed to be at risk were logon credentials to the social sites, comes a potentially much more insidious problem.
A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites. A short time later a popup appears, allegedly from the banking website, which asks the user to retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.
The good news: Trusteer has notified the browser makers and expects them to patch the bug.
And the company also offered these tips, which are common sense, but good advice nonetheless:
1. Deploy web browser security tools
2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites
3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.