Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn't able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.
In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.
Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user's bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.
The method would be drawn into play once a user has logged into an online banking, brokerage, or other secure web application, Trusteer explains.
"'In-session' attacks are more likely to succeed since they occur after a user has logged onto a banking or other secure website," explained Amit Klein, CTO of Trusteer. "Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications."
Miscreants hoping to mount an attack based on the approach face two potential stumbling blocks. First, they have to find an e-commerce or banking website open to compromise. Such attacks occur all the time and so don't really represent a serious obstacle for more skilled hackers. The second condition for a successful attack poses an altogether tougher nut to crack, however.
In order for the attack to succeed, malware injected onto a compromised website needs to identify which website the prospective mark is currently logged onto. Trusteer reckons the fraudulent pop-up boxes generated via the attack would be most plausibly generated when a surfer navigates to another site, leaving a secure session running at the same time.
Trusteer explains the attack in greater depth, together with tips for web users in avoiding compromise, in an advisory here (PDF). ®