It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.
Researchers at Trusteer [1] recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:
That's it! Their login credentials are now in the hands of the scammers.
A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.
From Trusteer:
The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.
Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.
Until then, Trusteer recommends the following preventative measures:
and most of all...
Learn more about this attack by downloading Trusteer's security advisory [4].
Links:
[1] http://trusteer.com/
[2] http://www.webkinz.com
[3] http://fightidentitytheft.com/www.pogo.com
[4] http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf