[pchelpers] Article:Phishing without bait: The in-session password theft attack

• From: John Durham <john.modec@xxxxxxxxxx>
• To: PC-Helpers <pchelpers@xxxxxxxxxxxxx>
• Date: Sat, 17 Jan 2009 07:14:49 +1300

January 16th, 2009
Posted by Ryan Naraine @ 8:39 am


Skilled identity thieves can pilfer user names, passwords and other
sensitive data for banking sites without using e-mail lures and other
other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what
is described as “in-session phishing attacks” using pop-up messages
during an active browser session.   The attack technique is somewhat
sophisticated — it requires that a base Web site is compromised and the
attacker must know which Web site the victim user is currently logged
into — in-session phishing can be highly effective because the average
end user is likely to enter credentials without a second thought.

Here’s how it works:
(more here)
http://blogs.zdnet.com/security/?p=2390
-- 
John Durham
Site http://modecideas.com
Server hosted on Ubuntu 4.10
Good advice is like good paint. It only works when applied.



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription