Phishing For Bank Info Without Any Pesky Malware

← Back to Stories (view on slashdot.org)

Phishing For Bank Info Without Any Pesky Malware

Posted by timothy on Thursday January 15, 2009 @05:06PM from the but-the-convenience-is-incredible dept.

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

5 of 232 comments (clear)

Min score:

Reason:

Sort:

XSS by AKAImBatman · 2009-01-15 17:08 · Score: 4, Informative

Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love.
A cross-site scripting attack sounds like a pretty typical attack vector to me. Javascript should not be able to "detect" if they have a banking site open. Pure and simple.

--
Javascript + Nintendo DSi = DSiCade
Simple Solution... by Klootzak · 2009-01-15 17:12 · Score: 4, Informative

Don't have multiple tabs/windows open while you're doing your online banking!!!

Oh, and use NoScript!

--
A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
1. Re:Simple Solution... by Klootzak · 2009-01-15 17:24 · Score: 4, Informative
  
  Yelling "Install NoScript you n00bs!!!" won't register noobs... because they're newbs.
  Well, I wouldn't call them n00bs firstly... and secondly, most of the technically-savvy geeks/nerds I know read Slashdot and find out new and interesting stuff from here.
  
  One of the best things about Slashdot is if you write something on here, ALOT of people will take notice. So if by providing solutions/information that people can read and take away to tell other non-technically-savvy individuals helps protect at least one person from being scammed, I'm more than happy to yell on Slashdot about it ;)
  
  --
  A Man's ethical behavior should be based effectually on sympathy, education, and social ties -- Albert Einstein
Re:Already dedicate browser sessions to banking on by totally+bogus+dude · 2009-01-15 21:04 · Score: 4, Informative

It's explained in a few comments above. You just reference a resource (usually an image) that requires you to be logged in at the target site in order to access. If your attempt fails, the user isn't logged in at that site. If it succeeds, you know the user is currently logged in.
Re:The Best Defense is Offense by DigitAl56K · 2009-01-15 22:48 · Score: 4, Informative

Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.
That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter.
So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.