Phishing without bait: The in-session password theft attack

In-session password theft attacksSkilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what is described as “in-session phishing attacks” using pop-up messages during an active browser session. The attack technique is somewhat sophisticated — it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into — in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought.

Here’s how it works:

  1. A user logs onto their online banking application. Leaving this browser window open, the user then navigates to other Web sites.
  2. A short time later a pop-up box appears, allegedly from the banking website, requesting the user re-type their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc.
  3. Since the user had recently logged onto the banking website, he/she will likely not suspect this pop-up is fraudulent and thus provide the requested details.

To mount a successful in-session phishing attack, a base Web site must be compromised (check!), the malware injected onto the hijacked Web site must be able to identify the site the user is logged into (not trivial but very possible).

Trusteer has issued a research paper (.pdf) that calls attention to a vulnerability in the JavaScript engine of all leading browsers — Internet Explorer, Firefox, Safari, and Chrome — which allows a Web site to check whether a user is currently logged onto another website.

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

It explains how a skilled attacker can program a compromised website needs to maintain a list of sites it wants to check.

There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: “is the user currently logged onto this specific website?” and the browser will answer “yes” or “no”. Once the compromised website identifies a website to which the user is logged on, it can inject a pop up message in the browser pretending to be from the legitimate website and asking for credentials and private information.

To protect themselves from in-session phishing attacks, Trusteer recommends that users:

  1. Deploy Web browser security tools.
  2. Always log out of banking and other sensitive online applications and accounts before navigating to other websites.
  3. Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink.

* Image source: ToastyKen’s Flickr photostream (Creative Commons 2.0)

[Source: zdnet]