Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing For Bank Info Without Any Pesky Malware

Posted by timothy on from the but-the-convenience-is-incredible dept.

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

1 of 232 comments (clear)

  1. Re:Simple Solution... by Anonymous Coward · · Score: 0, Flamebait

    This, like most phishing attempts, targets users who don't know about NoScript or basic internet safety practices.

    Yelling "Install NoScript you n00bs!!1!" won't register noobs... because they're newbs.

    You're onto something, but I'd like to kill the problem at its source: The fuckwit marketroid goons who demand the use of Javashit on the fucking login page in the first place.

    (I'm not a fundamentalist about this. There may be legitimate reasons why you might want to use Javashit, served via https, to customers who are already logged into a banking website. But there is no legitimate reason to use Javashit on a login page.)

    Sorry if I come across as bitter. I remember the first fucking time that Bank of America switched to the "new and improved" login page. I saw so many flashes to "www.liveperson.com" that I thought the box had been compromised.

    Turns out that the domain was a legitimate provider of "outsourced chatbot-in-india" services. The stupid marketing motherfuckers at BAC were loading third-party Javashit so that n00b customers too stupid to figure out "login" and "password" could resolve their confusion by "chatting with a live person". In so doing, they exposed all of their customers to risk, because one required Javashit to log into the damn site in the first place. I uttered a few more oaths too foul for even the tender ears here, and blocked the goddamn domain just out of spite.

    Anyways, you're right in that the root cause of this problem isn't n00bs who don't know how to install something like noscript. The root cause is the clueless twats at the banks, who disallow logins from users with Javashit deactivated.

    Seriously, you don't need Javashit to accept an entry - be it login, acceptance of a third-factor authentication, or a password - in an https:/// form.

    Don't use Javashit on the login page, and then users won't have to turn enable the security hole in order to log into the website.