Trusteer Identifies New Phishing Attack that Infiltrates Secure Website Sessions

Method Injects Information Requests into All Major Browsers after a User has
Logged On to Banking, Brokerage, or other Secure Web Applications 
NEW YORK--(Business Wire)--
Trusteer, the customer protection company for online businesses, today announced
that its research organization has identified a new phishing attack method
designed to trick users into surrendering confidential information after they
have logged on to an online banking, brokerage, or other sensitive web site. The
technique, dubbed In Session Phishing, can be used to inject into all major
browsers legitimate looking Pop Up messages that request passwords, account
numbers, etc., on behalf of the trusted website. 

This next generation Phishing method, as well as techniques that can be used to
protect against it, are explained in a free security advisory written by noted
security researcher and Trusteer CTO Amit Klein. The advisory is available at:
http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf. 

"We have been investigating new phishing methods with a specific focus on what
we call "in-session" attacks, which are more likely to succeed since they occur
after a user has logged onto a banking or other secure website," said Amit
Klein, CTO of Trusteer and head of the company`s research organization. "Our
research has found that all the leading browsers, based on their design, are
vulnerable to this technique. We have already notified the vendors and our
customers, and now are alerting the public to practice safe web browsing
techniques especially when accessing financial applications." 

In Session Phishing Explained

A typical In Session Phishing attack would occur as follows. A user logs onto
their online banking application to perform some tasks. Leaving this browser
window open, the user then navigates to other websites. A short time later a
popup appears, allegedly from the banking website, requesting the user retype
their username and password because the session has expired, or complete a
customer satisfaction survey, or participate in a promotion, etc. Since the user
had recently logged onto the banking website, he/she will likely not suspect
this popup is fraudulent and thus provide the requested details. 

In order for In-Session Phishing attacks to succeed the following conditions are
required: 

1. A base website must be compromised from which the attack can be launched 

2. The malware (injected on the compromised website) must be able to identify
which website the victim user is currently logged on to 

The first condition is easily achieved, since more than two million legitimate
websites are known to be compromised by criminals, and hundreds more are being
compromised every day. The second condition, identifying which website a user is
currently logged onto is harder to achieve, but not impossible. A variety of
techniques are available and documented for accomplishing this task. For more
details see the Trusteer security advisory on In Session Phishing. 

About Trusteer

Trusteer enables online businesses to establish a secure communication tunnel
with their customers over the Internet that stretches from user's keyboard into
the company's website. Trusteer's flagship product, Rapport, allows online
banks, brokerages, and retailers to protect their customers from identity theft
and financial fraud. Unlike conventional approaches to Web security, Rapport
protects users' confidential information even if their computer is infected with
malware including Trojans and keyloggers, or is victimized by pharming, phishing
attacks. Trusteer is a privately held corporation led by former executives from
Cyota/RSA Security, Imperva, and NetScreen/Juniper. For more information visit
www.trusteer.com. 





Marc Gendron PR
Marc Gendron, 781-237-0341
marc@mgpr.net

Copyright Business Wire 2009