Wednesday, January 14, 2009

"In-session Phishing" Vector

This morning I came across a couple of news stories concerning a new phishing vector referred to as "in-session phishing", which basically relates to the use of counterfeit popup windows that explain that your current online banking session has expired, and that you should type in your credentials to carry on.

This vector is defined in the advisory published by Trusteer dated December 29th.

When I first read the Dark Reading story ("New Phishing Attack Targets Online Banking Sessions with Phony Popups", I was thinking "wow, interesting attack vector, I wonder why the phishers went down that route?", then as I re-read the story I came to realize that it's not an attack circulating in the wild, but the one postulated by Trusteer.

So, whats the problem? Well, sure, this type of theoretical attack is possible - all the building blocks exist - and it would be easy enough to socially engineer victims in to believing that it was a legitimate popup and steal their banking login credentials, but I don't think we're going to see this technique added to the phishers arsenal or widely adopted (if ever).

Why? Mainly because there are easier vectors for attack. If you've gone to the trouble of either compromising a Web site or built a fake one from scratch, and managed to set up all your scripts etc. then you might as well go the full hog and exploit the victims Web browser and install a full banking Trojan. Just stealing the users banking login credentials has practically no value today.

Yes, if the phisher used "in-session phishing" to harvest your login credentials they could probably access your account and view balances etc. but it's a wholly different thing to instigate and validate a funds transfer. This is why the bad guys rely upon drive-by-download vectors to install malware on hosts and use specialized banking Trojan malware.

So, if you extract all the media hype, this "threat" isn't really a threat we're going to have to worry about. And besides, there's several other mitigating technologies for this vector.

Perhaps it was a slow news day yesterday in the lead-up to Microsoft's patch release.

No comments:

Post a Comment