A Portal to Your Passwords

Continued from page 1

Phishing 2.0: A vulnerability recently discovered by security company Trusteer would allow attackers to launch pop-ups matching those of a bank that a user is already logged in to, as shown above. Credit: Trusteer

The core vulnerability discovered by the Israeli researchers is a Web browser flaw that lets the phisher see what other websites a person is visiting. Klein explains that a certain JavaScript function, commonly used by online retailers, financial institutions, and other sites, leaves a footprint revealing that the user is logged in to that site. Klein says that protections such as pop-up blockers wouldn't necessarily derail the attack because the hacked site could itself be altered to seem like a request to log in again.

"I think it is great that we are trying to identify additional venues of phishing attacks such as this," says Nitesh Dhanjani, an independent security researcher who studies phishing methods and trends. For the time being, Dhanjani says, this kind of attack is beyond the technical abilities of the average phisher. "The bar is far too low to enter the phishing game, so the phishers have no reason to evolve into a sophisticated community," he says. However, as users are better protected against the most basic types of attack, he says, the technical bar for phishers could start to rise: "Perhaps this is when we will see slightly more advanced techniques incorporated into phishing kits."

Klein says that Microsoft, Apple, and Mozilla have told him that they plan to issue fixes for the browser vulnerability discovered by Trusteer. He adds that users can protect themselves by being careful to log out of banking and e-commerce sites before visiting other websites.