There is a new phishing attack that is hitting hitting the web and its a pretty clever one!!
Most phishing attacks up until now have been in the form of a e-mail sent to a potential victim saying, for example, that your bank needs you to verify some information. It provides you with a link to a dummy page that looks exactly like your bank log in but when you enter your details it sends them off to someone who will put them to good use…for them….
Most people having become aware of these & know to just delete them, most end up in your Spam / Junk folder anyway. So this new attack has taken phishing to a cunning new level, again praying on peoples bad web habits.
This is how the attack works:
- You log on to your banks website & do whatever your need to
- When you’re done you visit another website without logging out
- However this website has been compromised with malware
- This malware causes a pop up box to appear asking you to log in
- You haven’t logged out so you think its your bank website
- You enter your log in details, and then its bye bye money!!
What makes this attack really effective is the way that it determines when to trigger the pop up. There is a flaw in the JavaScript engine of all of the major web browsers (this is probably already being / been fixed so update your browser now) that means when you visit sites that use a particular JavaScript function it leaves a digital footprint behind for that site when your logged in.
The malware on a compromised site can then ask the browser what sites the user is currently logged into. If it is logged into a site that it is interested in then it can inject a pop up message that looks like it is from the original site and the user is none the wiser as they enter their details.
So there are several things that you can do to avoid this sort of problem. The most important is to log out of sites that hold sensitive information about you (e.g. Banking websites) as soon as you are finished with them. Also be very wary of pop up messages. No banking website will do this, it will simply time out and you will have to log in again through their main page.
Something else to bear in mind is that as of May 2008 68% of malware invested sites were legitimate. There is a common misconception that you can only pick up malware from visiting Warez, Porn, or through Peer 2 Peer software. This is not the case! Yes these are places you want to avoid, but legit sites are also vulnerable so keep your firewall & anti-virus up to date.
Thanks to ZDNet for this information…
Comments (0)