Another year, another form of phishing. This one, I have to admit, is pretty good in terms of potentially fooling a user. Unlike most phishing attack vectors, it doesn't rely on the victim being ignorant and/or moronic. The new technique has been dubbed "in-session" phishing and it stays out of your e-mail altogether.

Security researchers with Trusteer have published a report (PDF) on this new type of phishing along with a suitably vague description of how the attack works. As its name implies, in-session phishing requires that the victim first log into a secure website; Trusteer uses an online bank site as one example of a tasty target.

Here's how the attack works: A user legitimately logs into his bank, authenticates, and then does whatever he logged in to do. Once finished, he opens another browser tab (or browser window) and leaves the bank website open. Shortly thereafter, he encounters a website that has been injected with the malicious code in question. Once run, the malware creates a pop-up, supposedly from the bank or secure site that's still open in another tab or window. The "authentic" pop-up prompts the user to enter his login credentials again in order to resume the session. Trusteer notes that the attack could be used to present different types of lures including online surveys or mini-flash games (punch the Yeti, enter your personal data, and win a free Llama!).

In order for the attack to function, Trusteer states that two conditions must be met. First, a website must be compromised and infected—the higher traffic the better, obviously. Secondly, the downloaded malware must be able to identify whether or not the unknowing carrier is logged into a relevant website. Trusteer does not state how long the window of opportunity is open for this particular attack to execute, but does note that the malware infection is temporary.

Trusteer explains how the bug works. It is present in the JavaScript engine used by popular browsers like IE, Firefox, and Safari, as well as Chrome, and allows a site to determine whether a user is also logged into another site.

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

The researchers recommend that users and companies deploy appropriate web security tools (which the company happens to sell), immediately log out of any secure sites once you've finished your tasks (good advice), and to be extremely wary of pop-ups that randomly drop in if you haven't clicked anything.

The JavaScript vulnerability that Trusteer has discovered obviously needs patching, but in-session phishing doesn't appear to be a major threat. In order to function successfully, the malware requires that a user have simultaneous browser windows open to both a login/secure site and an infected site, and that the secure site is on the malware's pregenerated list of targets. There are some rather simple ways for banks and other targeted institutions to fight back; options include rapid disconnects if a user becomes idle and prominent notifications of the company's login policy.

Many companies (Blizzard and AOL come to mind) prominently and repeatedly inform customers that neither the company nor its representatives will ever, ever, ask a user to disclose their password. A similar warning against in-session phishing might state that the company will never ask users to log in via a pop-up or any third-party service. Between currently available solutions and inevitable patches, I think in-session phishing is going to find its nets mostly empty.