Misplaced Pages

In-session phishing

Article snapshot taken from[REDACTED] with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
This article needs to be updated. Please help update this article to reflect recent events or newly available information. (July 2024)
Type of phishing attack

In-session phishing is a form of potential phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session. This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.

The technique, which exploited a vulnerability in the JavaScript handling of major browsers, was found by Amit Klein, CTO of security vendor Trusteer, Ltd. Subsequent security updates to browsers may have made the technique impossible.

References

  1. Cert-IST. "Publication content". Cert-IST (in French). Archived from the original on 2024-07-18. Retrieved 2024-07-18.
  2. Hruska, Joel (2009-01-13). "New in-session phishing attack could fool experienced users". Ars Technica. Retrieved 2024-04-16.
  3. Arellano, Nestor; McMillan, Robert (6 February 2009). "In-session phishing a new threat to online businesses". Network World Canada. 25 (3). ProQuest 198831313.
  4. Kaplan, Dan (14 January 2009). "New phishing ploy exploits secure sessions to hijack data". iTnews.
  5. "Archived copy" (PDF). Archived from the original (PDF) on 2009-01-22. Retrieved 2009-01-20.{{cite web}}: CS1 maint: archived copy as title (link)

External links


Stub icon

This World Wide Web–related article is a stub. You can help Misplaced Pages by expanding it.

Categories:
In-session phishing Add topic