Phishing In-Session …

by Sachin Balagopalan on January 23, 2009 · Comments

Most of us have received phishing emails at one time or the other in our lives and some have even fallen victim to these attacks. You receive an email that looks like it’s from your bank or credit card company warning you that your account will be deactivated if you don’t update your profile info, or something to that effect. At the bottom of the email there’s usually a link to a fraudulent site that looks exactly like the bank or credit card company’s website and if you’re not paying attention one could easily compromise their login credentials and other personal info like social security numbers and the like. Thankfully people are savvier nowadays when using the web and most of us have learned how to recognize these fraudulent emails.

Unfortunately hackers are always looking for new ways to phish and a recent security hole found in all the major browsers could potentially lead to a more sophisticated method of phishing called “in-session phishing”. The vulnerability is explained as follows …

Researchers have found vulnerability in the JavaScript engine of all leading browsers including Internet Explorer, Firefox, Safari and Chrome, which allows a Web site to check whether a user is currently logged onto another website. The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced -Born Identity.

This is how it would basically work … While surfing the web you stumble into a legitimate website where a phisher hacked in earlier and planted some code. Prior to surfing into this infected site you were doing some online banking and still have the browser session opened. The hack code includes the javascript function that will be used to check if you’re logged into any banking sites. The code will have logic to pop up a new browser window that looks like your bank’s website prompting you to login again because “your session has timed out”. Since you were doing some online banking a few minutes ago you probably won’t think twice and could easily compromise your login creds by logging in.

While this is certainly sophisticated compared to email phishing it’s still not out of the realm of possibility that it could happen. It’s always a good habit to log out of any sensitive websites completely before navigating to or opening up another browser session.

blog comments powered by Disqus

Copyright © 2007–2009, Republic of Internets. All rights reserved.

Male Impotence (Male Impotence)

Erectile dysfunction or male impotence Semenax tablets Semenax increase is being unable to Semen volume volume pills Natural ingredinents in volumepills get or maintain a hardon that is certainly company more VigRX Plus VigRX