Anti-Phishing Blog

Wednesday, January 21, 2009

Phishing with the web

In-Session Phishing

A JavaScript vulnerability in most web browsers can be used for "in-session phishing," a new form of phishing attack that doesn't depend on email to deliver its lure to vulnerable phish. The trick uses a pop-up window that emulates a security alert and asks for password and login information.

Amit Klein, the chief technology officer at security vendor Trusteer, has notified browser makers of the flaw. The process to complete this in-session phishing includes hacking a site to enter HTML code that looks like a security warning. A JavaScript bug allows this pop-up to appear valid and legitimate to the web site. It has the user re-enter user names and passwords. Klein believes the hacker could write code that recognizes the user's location, and pops up the verification window to knowingly capture bank logon information.

Banks need to monitor their web sites, keep their systems updated, and continue to urge their users to keep their systems updated as well.


Post a Comment

<< Home