Traditional phishing attacks are heavily based on fake e-mail messages sent to as many users as possible. The level of social engineering involved in these messages ranges from impersonating financial institutions, online retailers, or governmental agencies, to trying to capitalize on world events, for example, by impersonating a relief fund raising for victims of a large-scale accident.
The new phishing attack described by the Truteer researchers takes the e-mail component out of the equation and makes use of web-based fake alerts that try to convince individuals into providing their login information. Such attacks were noticed in the past too, but they are not very efficient, due to the various problems the identity thieves face with making these warnings appear real.
“Many recent phishing attacks claim to be security warnings, alerting users to suspicious activity in their account or offering a new 'security mechanism.' However, this scare tactic is also becoming less effective,” the experts say. The company claims that a new vulnerability discovered by a research team lead by Amit Klein, Trusteer's own CTO, has the potential to significantly increase the efficiency of such phishing attacks.
If a user is identified as being logged in on a website in the list, the code would then generate a web-based pop-up claiming to be from that website. Receiving a security warning, which claims, for example, that “Your login session with [banking website] has expired. Please sign back in using the this [sic] form,” would make it very credible, as long as the users know that they were indeed authenticated on that banking website.
“There is no limit to the number of URLs that a compromised website can check for logged on users. It simply asks the browser a simple question: 'is the user currently logged onto this specific website' and the browser will answer 'yes' or 'no,'” the researchers explain.
Other, but less reliable, methods of determining whether a user is logged in on a website were documented in the past. Because of this, security experts have advised for a long time that online banking, or shopping sessions should be performed independently from regular browsing. Even more, some professionals recommend that such sensitive online activities should be performed from a separate browser altogether. “Be extremely suspicious of pop ups that appear in a web session if you have not clicked a hyperlink,” the Trusteer advisory concludes.