A bug in all major browsers could allow cybercriminals to use an ‘in-session phishing' attack.
Trusteer has claimed that in-session phishing removes the traditional scam email and uses a pop-up browser window.
Amit Klein, chief technology officer at Trusteer, claimed that the pop-up window would be created to look legitimate, and ask the user to enter their password and login information, and possibly request security questions that banks will use to verify the identity of their customers.
Klein claimed to have notified the operators of the major browsers, but until then, criminals who discover the flaw could write code that checks whether web surfers are logged into secure sites.
“Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged into one of 100 financial institutions. The fact that you're currently in-session lends a lot of credibility to the phishing message”, added Klein.