In-session phishing

Short description: Type of phishing attack

In-session phishing is a form of potential phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session.^[1] This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.^[2]

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.^[3]

The technique, which exploited a vulnerability in the JavaScript handling of major browsers, was found by Amit Klein, CTO of security vendor Trusteer, Ltd.^[4]^[5] Subsequent security updates to browsers may have made the technique impossible.

References

↑ Cert-IST. "Publication content" (in fr). https://www.cert-ist.com/public/en/SO_detail.
↑ Hruska, Joel (2009-01-13). "New in-session phishing attack could fool experienced users" (in en-us). https://arstechnica.com/information-technology/2009/01/new-method-of-phishmongering-could-fool-experienced-users/.
↑ Arellano, Nestor; McMillan, Robert (6 February 2009). "In-session phishing a new threat to online businesses". Network World Canada 25 (3). ProQuest 198831313.
↑ Kaplan, Dan (14 January 2009). "New phishing ploy exploits secure sessions to hijack data". iTnews. https://www.itnews.com.au/news/new-phishing-ploy-exploits-secure-sessions-to-hijack-data-132985.
↑ "Archived copy". Archived from the original on 2009-01-22. https://web.archive.org/web/20090122022921/http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf. Retrieved 2009-01-20. ^{[full citation needed]}

External links

Eisen, Ori (March 2009). "In-session phishing and knowing your enemy". Network Security 2009 (3): 8–11. doi:10.1016/S1353-4858(09)70027-3.
New Phishing Attack Targets Online Banking Sessions With Phony Popups
New in-session phishing attack could fool experienced users

0.00

(0 votes)

Original source: https://en.wikipedia.org/wiki/In-session phishing. Read more

[1] Cert-IST. "Publication content" (in fr). https://www.cert-ist.com/public/en/SO_detail.

[2] Hruska, Joel (2009-01-13). "New in-session phishing attack could fool experienced users" (in en-us). https://arstechnica.com/information-technology/2009/01/new-method-of-phishmongering-could-fool-experienced-users/.

[3] Arellano, Nestor; McMillan, Robert (6 February 2009). "In-session phishing a new threat to online businesses". Network World Canada 25 (3). ProQuest 198831313.

[4] Kaplan, Dan (14 January 2009). "New phishing ploy exploits secure sessions to hijack data". iTnews. https://www.itnews.com.au/news/new-phishing-ploy-exploits-secure-sessions-to-hijack-data-132985.

[5] "Archived copy". Archived from the original on 2009-01-22. https://web.archive.org/web/20090122022921/http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf. Retrieved 2009-01-20. ^{[full citation needed]}

[1]

[2]

[3]

[4]

[5]

Anonymous

Search

In-session phishing

Namespaces

More

Page actions

References

External links

Navigation

Navigation

Help

googletranslator

Navigation

Wiki tools

Wiki tools

Anonymous

Search

In-session phishing

References

External links

Navigation

Wiki tools

Page tools

Other projects

Categories