 | This article needs to beupdated. Please help update this article to reflect recent events or newly available information.(July 2024) |
In-session phishing is a form of potentialphishing attack which relies on oneweb browsing session being able to detect the presence of another session (such as a visit to anonline banking website) on the sameweb browser, and to then launch apop-up window that pretends to have been opened from the targeted session.[1] This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.[2]
The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, andsocial engineering of the user.[3]
The technique, which exploited a vulnerability in theJavaScript handling of major browsers, was found by Amit Klein, CTO of security vendorTrusteer, Ltd.[4][5] Subsequent security updates to browsers may have made the technique impossible.
{{cite web}}: CS1 maint: archived copy as title (link)[full citation needed] | ThisWorld Wide Web–related article is astub. You can help Wikipedia byadding missing information. |