6/16/2009

Hackers exploit Browser Bug for fishing without sending E-Mail

I was just going through the March 2009 Issue of the PCWorld and here's something I wanted to share with the readers of Online Guide

"In a traditional phishing attack, a scammer sends out millions of phony e-mail messages disguised to look as if they come from legitimate companies.
But researchers at security vendor Trusteer say that “in-session phishing,” a new type of at tack, could help criminals steal on line banking credentials by replacing the e-mail message with a pop-up browser window. Scammers might hack into a legitimate Web site to plant HTML code that looks like a pop-up security alert asking the victim to enter log-in information and to answer other security questions that banks use to verify a customer’s identity.

For attackers, the hard part would beto convince victims that the pop-up notice is legitimate. But because of a bug lurking in the JavaScript engines of all of the most widely used browsers, there is a way to make this type of attack seem more believable, says Amit Klein, Trusteer’s chief technology officer.
By studying how browsers use JavaScript, Klein says, he found a way to determine whether someone is logged
in to a Web site, provided that they use a certain JavaScript function. Klein has notified browser makers and expects the bug will eventually get patched. Until then, criminals who find the flaw may be able to write code that checks whether Web surfers are logged in to, say, a predetermined list of major banking sites. “Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user iscurrently logged in to one of 100 financial institution Web sites,” Klein says."

Sounds interesting isn't it. A couple of months have passed since this article was published. Since then, there have been many developments in the browser market like Chrome 2.0, Safari 4 and even a hidden beta update to Mozilla.
Hope they fixed the issue!

0 comments: