Browser bug increases vulnerability to phishing
On the heels of the phishing attacks on Twitter and Digg, where all that immediately seemed to be at risk were logon credentials to the social sites, comes a potentially much more insidious problem.
Security vendor Trusteer has found a JavaScript bug in all major browsers makes it easier for crooks to steal your login information while you're doing your online banking. It's called "in-session phishing," and what makes it more difficult to detect is that it happens when you're already logged into your banking site.
The crooks can hack legitimate websites to create a pop-up window to verify your identity when you're already on the site. Security vendor Trusteer found the JavaScript bug in the biggest browsers - Internet Explorer, Firefox, Safari and Chrome. A press release from Trusteer explained how it would work:
A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites. A short time later a popup appears, allegedly from the banking website, which asks the user to retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.
Because the window comes up when you're already on-site, you're more likely to belive it's real. The criminals can determine if you're logged on to one of 100 various banks or other financial institutions via a function in JavaScript, which Klein wouldn't discuss in more detail, because he didn't want to give the bad guys any ideas they didn't have already.
The good news: Trusteer has notified the browser makers and expects them to patch the bug.
And the company also offered these tips, which are common sense, but good advice nonetheless:
1. Deploy web browser security tools
2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites
3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.