In-session phishing explained

In-session phishing is a form of potential phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session.^[1] This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.^[2]

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.^[3]

The technique, which exploited a vulnerability in the JavaScript handling of major browsers, was found by Amit Klein, CTO of security vendor Trusteer, Ltd.^{[4] [5]} Subsequent security updates to browsers may have made the technique impossible.

External links

• Eisen . Ori . In-session phishing and knowing your enemy . Network Security . March 2009 . 2009 . 3 . 8–11 . 10.1016/S1353-4858(09)70027-3 .
• New Phishing Attack Targets Online Banking Sessions With Phony Popups
• New in-session phishing attack could fool experienced users

Notes and References

1. Web site: Cert-IST . Publication content . 2024-07-18 . Cert-IST . fr . 2024-07-18 . https://web.archive.org/web/20240718073655/https://www.cert-ist.com/public/en/SO_detail . dead .
2. Web site: Hruska . Joel . 2009-01-13 . New in-session phishing attack could fool experienced users . 2024-04-16 . Ars Technica . en-us.
3. . Arellano . Nestor . McMillan . Robert . In-session phishing a new threat to online businesses . Network World Canada . 25 . 3 . 6 February 2009 .
4. News: Kaplan . Dan . New phishing ploy exploits secure sessions to hijack data . iTnews . 14 January 2009 .
5. Web site: Archived copy . 2009-01-20 . dead . https://web.archive.org/web/20090122022921/http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf . 2009-01-22 .