Pop-up phishing risk points to web fraud evolution

system · January 15, 2009, 2:07am

The Register:

Fraudsters have the potential to develop techniques for mounting phishing attacks using pop-up dialogue boxes instead of spoofed emails, security start up Trusteer warns. Although the firm isn’t able to cite example of the possible next-generation attack, which it describes as in-session phishing, that attack scenario is plausible enough to merit a closer look.

In-session phishing, like drive-by download attacks, first relies on planting malicious code on targeted web sites. But instead of redirecting surfers to maliciously constructed websites under the control of hackers, where browser vulnerabilities might be used to load malware on poorly secured Windows PCs, the hostile code is used to generate rogue pop-up browser windows.

Prospective marks would be invited to hand over their online login credentials in response to this dialogue box. The approach eliminates the need to smuggle fraudulent emails past spam filters and has the advantage of novelty in catching out the unwary, to say nothing of plausibility since the pop-up would appear to come from a user’s bank. The approach also has the advantage of doing away with the scatter-gun approach of conventional phishing attacks.

[MORE]

fazio93 · January 15, 2009, 5:00am

Judging from the description of the technique used, I’m guessing CMF/SS + FF’s NoScript could prevent this.