14 DAY TRIAL // Researchers from Israel-based security consultancy firm Trusteer, have documented a new and highly-effective type of phishing attack, which no longer relies on e-mail. The new technique is based on an undisclosed flaw present in the JavaScript implementation of all leading browsers – Internet Explorer, Firefox, Safari, or Chrome – the company claims.
Traditional phishing attacks are heavily based on fake e-mail messages sent to as many users as possible. The level of social engineering involved in these messages ranges from impersonating financial institutions, online retailers, or governmental agencies, to trying to capitalize on world events, for example, by impersonating a relief fund raising for victims of a large-scale accident.
The new phishing attack described by the Truteer researchers takes the e-mail component out of the equation and makes use of web-based fake alerts that try to convince individuals into providing their login information. Such attacks were noticed in the past too, but they are not very efficient, due to the various problems the identity thieves face with making these warnings appear real.
“Many recent phishing attacks claim to be security warnings, alerting users to suspicious activity in their account or offering a new 'security mechanism.' However, this scare tactic is also becoming less effective,” the experts say. The company claims that a new vulnerability discovered by a research team lead by Amit Klein, Trusteer's own CTO, has the potential to significantly increase the efficiency of such phishing attacks.
The security threat is actually a traceable JavaScript function that allows attackers to check if a visiting user is logged into certain websites, hence the “in-session” name given to this attack. “Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.”
A phishing attack making use of this vulnerability would be instrumented in two steps. First, the attacker would successfully compromise a legit and popular website through cross-site scripting (XSS) or SQL injection. This would allow them to serve rogue code to the visiting users, without being easily detectable. This code would then check if they are currently authenticated on a number of predefined websites, by exploiting the JavaScript flaw.
If a user is identified as being logged in on a website in the list, the code would then generate a web-based pop-up claiming to be from that website. Receiving a security warning, which claims, for example, that “Your login session with [banking website] has expired. Please sign back in using the this [sic] form,” would make it very credible, as long as the users know that they were indeed authenticated on that banking website.
“There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: 'is the user currently logged onto this specific website' and the browser will answer 'yes' or 'no,'” the researchers explain.
Other, but less reliable, methods of determining whether a user is logged in on a website were documented in the past. Because of this, security experts have advised for a long time that online banking, or shopping sessions should be performed independently from regular browsing. Even more, some professionals recommend that such sensitive online activities should be performed from a separate browser altogether. “Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink,” the Trusteer advisory concludes.