A new phishing attack method that infiltrates secure website sessions was found by Trusteer. It is noted that it was designed to trick users. This process looks the following way. Users were tricked into surrendering confidential information after they have logged on to an online banking, brokerage, or other sensitive web site. Moreover, this technique, dubbed In Session Phishing, may cause unpredictable results. It can be used to inject into all major browsers legitimate looking Pop Up messages that request passwords, account numbers, etc., on behalf of the trusted website.
The method determined as the next generation Phishing method is described in details in a free security advisory written by noted security researcher and Trusteer CTO Amit Klein. Also researcher covers the techniques that can be used to protect against it.
Basically it explains how a typical In Session Phishing attack would affect users. A user logs onto their online banking application to perform some tasks. Leaving this browser window open, the user then navigates to other websites. And here comes a new phishing attack methods. A short time later a popup appears allegedly from the banking website. And it asks the user retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested details.
And this method is rather successful because more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Also it is very hard to identifying which website a user is currently logged onto.