HOME

TheInfoList



Click Here for Items Related To - In-session Phishing
OR:
In-session Phishing on:   [Wikipedia]   [Google]   [Amazon]

In-session phishing is a form of potential
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
attack which relies on one
web browsing Web navigation refers to the process of navigating a Computer network, network of web resource, information resources in the International World Wide Web Conference, World Wide Web, which is organized as hypertext or hypermedia. The user interface ...
session being able to detect the presence of another session (such as a visit to an
online banking Online banking, also known as internet banking, web banking or home banking, is an electronic payment system that enables customers of a bank or other financial institution to conduct a range of financial transactions through the financial inst ...
website) on the same
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
, and to then launch a
pop-up window Pop-up ads or pop-ups are forms of online advertising on the World Wide Web. A pop-up is a graphical user interface (GUI) display area, usually a small window, that suddenly appears ("pops up") in the foreground of the visual interface. The pop-u ...
that pretends to have been opened from the targeted session. This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks. The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user. The technique, which exploited a vulnerability in the
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
handling of major browsers, was found by Amit Klein, CTO of security vendor
Trusteer Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion. Trust ...
, Ltd. Subsequent security updates to browsers may have made the technique impossible.


References


External links


New Phishing Attack Targets Online Banking Sessions With Phony Popups


Computer security exploits Social engineering (security) {{Web-stub