Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phishing For Bank Info Without Any Pesky Malware

Posted by timothy on from the but-the-convenience-is-incredible dept.

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

12 of 232 comments (clear)

  1. XSS by AKAImBatman · · Score: 4, Informative

    Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love.

    A cross-site scripting attack sounds like a pretty typical attack vector to me. Javascript should not be able to "detect" if they have a banking site open. Pure and simple.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:XSS by Anonymous Coward · · Score: 1, Informative

      The script doesn't access the image, it just gets the information that loading the image succeeded or resulted in an error. Third party images are a very common thing on the web. You may be able to find an option in your browser for disabling third party content (everything not coming from within the same domain/path as the HTML document holding it all together), but if you turn off third party content, many pages will stop working or miss lots of pictures (on the plus side, you won't be seeing many ads either).

      A naive approach would be to limit the events fired by the image (onerror and onload) to scripts which have the same origin as the image. That wouldn't stop the attack though, because images influence the layout: The script could test if the image has loaded by looking at pixel distances on the page. A similar attack can be used to see if you have visited a particular page within the time that your browsing history covers (usually 7-14 days). To do that, a script can look at the color of a link. If it's the color of visited links, you've been there. This attack does not load anything from the server, so it would be a useful pre-test to see if you actually use online banking and at which bank. Then the image loading detection routine only needs to be performed for that bank.

      In essence, if you do anything that you have to log in for, turn off your browsing history and browse like it's 1994: One page at a time, no tabs.

  2. Re:The Best Defense is Offense by Anonymous Coward · · Score: 2, Informative

    I've heard of something like this before.
    Though there's this magical thing called noscript.
    If people would stop putting law before them to prevent them from making stupid choices then we might have a more informed society.
    (I ironically didn't read TFA.)

  3. Simple Solution... by Klootzak · · Score: 4, Informative

    Don't have multiple tabs/windows open while you're doing your online banking!!!

    Oh, and use NoScript!

    --
    A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
    1. Re:Simple Solution... by Klootzak · · Score: 4, Informative

      Yelling "Install NoScript you n00bs!!!" won't register noobs... because they're newbs.

      Well, I wouldn't call them n00bs firstly... and secondly, most of the technically-savvy geeks/nerds I know read Slashdot and find out new and interesting stuff from here.

      One of the best things about Slashdot is if you write something on here, ALOT of people will take notice. So if by providing solutions/information that people can read and take away to tell other non-technically-savvy individuals helps protect at least one person from being scammed, I'm more than happy to yell on Slashdot about it ;)

      --
      A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
  4. Re:The article doesn't describe the actual exploit by dmomo · · Score: 2, Informative

    I agree. Most XSS attacks would require the banking site to have a vulnerability. This article implies that all one needs is a vulnerability on the first (high-profile) site.

  5. Re:Already dedicate browser sessions to banking on by totally+bogus+dude · · Score: 4, Informative

    It's explained in a few comments above. You just reference a resource (usually an image) that requires you to be logged in at the target site in order to access. If your attempt fails, the user isn't logged in at that site. If it succeeds, you know the user is currently logged in.

  6. Re:The Best Defense is Offense by thetartanavenger · · Score: 2, Informative

    NoScript breaks my online banking. Yeah it's a good idea and I tried to use it for a while, but I found that no matter what exceptions I gave it when it came to my bank, it refused to allow me access. Don't know why, but it kinda kills your argument if you have to turn NoScript off completely to use your online banking.

    --
    Who need's speling and grammar?
  7. Re:The Best Defense is Offense by DigitAl56K · · Score: 4, Informative

    Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.

    That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter.

    So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.

  8. Re:New ways to steal. by sincewhen · · Score: 2, Informative

    Yes, it is apparently already being done on a large scale:
    http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin-scam-has-netted-millions-from-British-shoppers.html

    --
    -- Braden's law of data: All data spends some of its lifetime in an excel spreadsheet.
  9. No passwords by Haiyadragon · · Score: 2, Informative

    Over here in the Netherlands most banks (maybe all) don't use passwords. In my case I have a card reader that will generate a code after I give it my card, PIN number and a code generated by the website. I have to do this to log in and to initiate transactions. That makes this attack pretty useless. Also, a prompt should always clearly indicate by which website it was called and it shouldn't block other tabs.

  10. Re:The Best Defense is Offense by blueg3 · · Score: 2, Informative

    When you're currently visiting one site, and open a new tab and go to a different site, those two open tabs should have no capacity to share information -- they should function as if they were separate browser sessions. (Obviously this isn't the same as if you clicked on something in a tab that causes another tab or window to open, as they may need to share knowledge. But then, the fact that those two tabs/windows are tied to the same context should be made apparent to the user.)