Browser Bug Could Allow Phishing Without EmailJanuary 12, 2009 – 7:57 PM
A bug found in all major browsers could make it easier for criminals to steal online banking credentials using a new type of attack called “in-session phishing,” according to researchers at security vendor Trusteer.
In-session phishing (pdf) gives the bad guys a solution to the biggest problem facing phishers these days: how to reach new victims. In a traditional phishing attack, the scammers send out millions of phoney e-mail messages disguised to look like they come from legitimate companies, such as banks or online payment companies.
Those messages are often blocked by spam-filtering software, but with in-session phishing, the e-mail message is taken out of the equation, replaced by a pop-up browser window.
Here’s how an attack would work: The bad guys would hack a legitimate Web site and plant HTML code that looks like a pop-up security alert window. The pop-up would then ask the victim to enter password and login information, and possibly answer other security questions used by the banks to verify the identity of their customers.