Businesses that allow clients to log into online accounts run the risk of falling prey to a new kind of phishing attack which exploits a vulnerability found in all major browsers to enable hackers to bypass spam filters.
In traditional phishing attacks, scammers send out millions of bogus e-mail messages disguised as letters from legitimate companies such as banks, online payment firms and other financial organizations. A large number of these messages are blocked by spam filtering software. However, with in-session phishing, the e-mail message is replaced by a pop-browser window which evades filters designed to block spam e-mails, according to security vendor Trusteer Ltd. of Tel Aviv.
In this type of attack, scammers are most likely hack a legitimate Website and plant an HTML code that looks like a pop-up security alert window. When a customer logs onto the site, the pop-up appears on the customer’s computer screen. The pop-up then asks for the victim to enter his or her password, login information and possibly answer other security questions used by banks and other businesses to identify their customers.
“Based on the description of the threat, any Canadian business that either requires or allows its clients to login to an account could be susceptible, says James Quin, senior research analyst for Info-Tech Research Group in London, Ont.
Some users, Quin said, could be tipped off by the appearance of the pop-up because most businesses typically use static Webpages that are SSL (secure socket layer) encrypted when requesting information from clients.
“Working via pop-up is a bit unusual. Still, most users will likely assume that a pop-up that looks like it’s from the business site to which they are logged onto is safe and may respond to the message,” Quin warned.
The target company’s infrastructure must also be susceptible to being hacked for scammers to be able to plant their fake pop-up, the analyst said. Some browsers such as Firefox also have phishing detectors. “As long as these businesses stay up to date on their patching, the likelihood of this threat will be low because the bug is in the browser and not in the Web server.”
A comprehensive support strategy and solution is critical to meeting new and existing customer expectations and doing business on their terms.
For attackers, the hard part would be convincing victims that this pop-up notice is legitimate. But thanks to a bug found in the JavaScript engines of all the most widely-used browsers, there is a way to make this type of attack seem more believable, said Amit Klein, Trusteer’s chief technology officer.
By studying the way browsers use JavaScript, Klein said he has found a way to identify whether or not someone is logged into a Web site, provided they use a certain JavaScript function. Klein wouldn’t name the function because it would give criminals a way to launch the attack, but he has notified browser makers and expects the bug will eventually get patched.
Until then, criminals who discover the flaw could write code that checks whether Web surfers are logged into, for example, a predetermined list of 100 banking sites. “Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged into one of 100 financial institution Web sites,” he said.
“The fact that you’re currently in-session lends a lot of credibility to the phishing message,” he added.
Security researchers have developed other ways to determine whether a victim is logged into a certain site, but they are not always reliable. Klein said his technique doesn’t always work but it can be used on many sites including banks, on-line retailers, gaming and social networking sites.
As with all phishing threats, the primary method of defence is education, says Quin.
“Be cautious and use common sense. If you are able to login to a website, there is likely nothing wrong with your credentials so it is unlikely that the website would ask for that information a second time,” he said.
Make sure as a user that you understand the policies of the businesses with whom you have accounts to determine if they are likely to participate in this kind of request for information procedure (most are likely not to). If some kind of pop-up does appear requesting your information, notify the security control group (usually there is a link on the businesses webpage) of the problem, said Quin.
ITWorld Canada cyber threat and e-mail resources:
E-mail archiving lets businesses manage correspondence
Consider these five steps when implementing your e-mail archiving solution
Cyber threats accelerate, browser vulnerabilities proliferate in H1 2008: IBM X-Force Report