In-session phishing
Encyclopedia
In-session phishing is a form of phishing
attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking
website) on the same web browser
, and to then launch a pop-up window that pretends to have been opened from the targeted session. This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.
The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.
The technique was originally documented by Amit Klein, CTO of security vendor Trusteer, Ltd. in the following paper: http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking
Online banking
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.-Features:...
website) on the same web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
, and to then launch a pop-up window that pretends to have been opened from the targeted session. This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.
The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.
The technique was originally documented by Amit Klein, CTO of security vendor Trusteer, Ltd. in the following paper: http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf
External links
- New Phishing Attack Targets Online Banking Sessions With Phony Popups
- New in-session phishing attack could fool experienced users
- Main Trusteer Wikipedia PageTrusteerTrusteer is a privately held computer security firm responsible for the development of Rapport security software. The company has headquarters in Boston, Massachusetts in the United States.- Rapport software :...