Phishing without bait: The in-session password theft attack

January 16, 2009
No Comment

Skilled identity thieves can pilfer user names, passwords and other sensitive data for banking sites without using e-mail lures and other other social engineering tactics.

According to a security advisory from Trusteer, hackers can launch what is described as “in-session phishing attacks” using pop-up messages during an active browser session. The attack technique is somewhat sophisticated — it requires that a base Web site is compromised and the attacker must know which Web site the victim user is currently logged into — in-session phishing can be highly effective because the average end user is likely to enter credentials without a second thought. [ZDNet]