Phishing Attack Compromises Secure Web Site Sessions

By Matthew Hines  |  Posted 2009-01-16 Print this article Print

Online data security specialists Trusteer have detailed the emergence of a new brand of phishing threat that can be used to hijack secure online user sessions to steal credentials and commit subsequent cyber-fraud.

According to the research report, the advanced phishing technique can be used to inject fraudulent information requests into all major browsers and many authenticated online applications, including e-banking and brokerage systems.

Essentially, the malware technique involved in the schemes, dubbed Session Phishing, attempts to trick users into handing over their information after they've already logged into various sites or applications using pop-up windows.

Trusteer is calling the phishing method a form of "in-session" attack which packs a potent punch as users have already authenticated into known applications when it is launched, thereby playing off an established level of trust. The malware specifically rears its head when financially-oriented sites are being accessed, the researchers said.

"Our research has found that all the leading browsers, based on their design, are vulnerable to this technique. We have already notified the vendors and our customers, and now are alerting the public to practice safe web browsing techniques especially when accessing financial applications," said Amit Klein, CTO of Trusteer, in a research note.

The specifics as explained by Trusteer:

A typical In Session Phishing attack would occur as follows. A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other Web sites.

A short time later a popup appears, allegedly from the banking Web site, requesting the user retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking Web site, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.

In order for In-Session Phishing attacks to succeed the following conditions are required:

-A base Web site must be compromised from which the attack can be launched

-The malware (injected on the compromised Web site) must be able to identify which Web site the victim user is currently logged on to

The company pointed out that the first task is easier for attackers to achieve, with the sheer number of sites located online. And while the second piece is a bit harder to carry off, at least on a widespread basis, the experts said that a "variety of techniques" are already available and documented for pulling it off.

So, if you weren't already leery of unexpected pop-ups, avoid them, even when they seem legitimate.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel