In-session phishing bug detected

News by Dan Raywood

A bug in all major browsers could allow cybercriminals to use an 'in-session phishing' attack.

A bug in all major browsers could allow cybercriminals to use an ‘in-session phishing' attack.


Trusteer has claimed that in-session phishing removes the traditional scam email and uses a pop-up browser window.


Amit Klein, chief technology officer at Trusteer, claimed that the pop-up window would be created to look legitimate, and ask the user to enter their password and login information, and possibly request security questions that banks will use to verify the identity of their customers.


Klein claimed that a bug found in the JavaScript engines of all the most widely-used browsers would make this type of attack seem more believable. He claimed to have found a way to identify whether or not someone is logged into a website, provided they use a certain JavaScript function, although refused to name the function publicly for fear that it will help criminals to launch the attack.


Klein claimed to have notified the operators of the major browsers, but until then, criminals who discover the flaw could write code that checks whether web surfers are logged into secure sites.


“Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged into one of 100 financial institutions. The fact that you're currently in-session lends a lot of credibility to the phishing message”, added Klein.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop