In-session phishing
This article needs to be updated. (July 2024) |
In-session phishing is a form of potential phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session.[1] This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.[2]
The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.[3]
The technique, which exploited a vulnerability in the JavaScript handling of major browsers, was found by Amit Klein, CTO of security vendor Trusteer, Ltd.[4][5] Subsequent security updates to browsers may have made the technique impossible.
References
[edit | edit source]- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- ^ Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).[full citation needed]
External links
[edit | edit source]- Lua error in Module:Citation/CS1/Configuration at line 2172: attempt to index field '?' (a nil value).
- New Phishing Attack Targets Online Banking Sessions With Phony Popups
- New in-session phishing attack could fool experienced users
