stringtranslate.com

In-session phishing

In-session phishing is a form of potential phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session.[1] This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.[2]

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.[3]

The technique, which exploited a vulnerability in the JavaScript handling of major browsers, was found by Amit Klein, CTO of security vendor Trusteer, Ltd.[4][5] Subsequent security updates to browsers may have made the technique impossible.

References

  1. ^ Cert-IST. "Publication content". Cert-IST (in French). Retrieved 2024-07-18.[dead link]
  2. ^ Hruska, Joel (2009-01-13). "New in-session phishing attack could fool experienced users". Ars Technica. Retrieved 2024-04-16.
  3. ^ Arellano, Nestor; McMillan, Robert (6 February 2009). "In-session phishing a new threat to online businesses". Network World Canada. 25 (3). ProQuest 198831313.
  4. ^ Kaplan, Dan (14 January 2009). "New phishing ploy exploits secure sessions to hijack data". iTnews.
  5. ^ "Archived copy" (PDF). Archived from the original (PDF) on 2009-01-22. Retrieved 2009-01-20.{{cite web}}: CS1 maint: archived copy as title (link)[full citation needed]

External links


  • v
  • t
  • e