Phishing 2.0 - PAN Fried

FYI: A Credit/Debit Card "Personal Account Number: is what creates the "PAN" acronym.

Over the past couple of months, I've posted that: eCommerce and Browsers Don't Mix, I've talked about how unsafe web browsers are...why you should NEVER enter your PAN into a browser space.

I've also pointed out that recent data shows that software is 92 times more likely to be breached than hardware.

So, if you're like me, you're probably starting to get the "pheeling" that browsers are an extremely unreliable platform for ecommerce. 

That said...let me put it another way. 

I'm sure that you would agree that most of the time browser's are not even safe for browsing, let alone typing in our PAN or PIN's...

 It seems like almost everyday, we read about how hackers are getting more sophisticated in the ways they try to obtain your personal information from financial sites:

Now, comes a story from Kelly J. Higgins published by Dark Reading which explains how the next generation of phishing attacks are so-phisticated that it targets users in real time . (they call it "In Session Phishing," because it targets online banking sessions with phony popups...but I'll call it PAN Fried - Phishing 2.0)

Here's a portion of the story from Dark Reading. Click the link below to read it in it's entirety... 

New Phishing Attack Targets Online Banking Sessions With Phony Popups - DarkReading

'In-session phishing' the latest Web-based method for phishers to steal users' banking credentials

Researchers have discovered a sophisticated, new method of phishing that targets users while they are banking (thus making payments) online -- sending phony "pop-up "messages pretending to be from their banks/payment providers. (So I guess the only thing "that's safe"to say about pop-ups is that they're "not safe"...and I'll bet you're glad I didn't say there's something fishy about them...were you not?)

The so-called "in-session phishing" attack prompts the victim to retype his username and password for the banking site because the online banking session "has expired," for instance, via a pop-up that purports to be from the victim's bank site, according to researchers at Trusteer, which today published an advisory (PDF) on their findings about the potential for such a phishing attack.

From Trusteer's PDF:

"This is the next generation of sophisticated phishing attack," Klein says. "It combines an online vector -- the attacker waits for user to come to a genuine site that's hacked -- and browser shortcomings to detect which site the user is logged into in a different window or tab. This provides a very powerful avenue to conduct a sophisticated attack."

The popup message could take other forms according to the researchers (such as a Graphical User Interface I have to wonder out loud?) -- anything that could dupe the user into handing over credentials. In order for in-Session phishing attacks to succeed the following conditions are required:

1. A base website must be compromised from which the attack can be launched

2. The malware (injected on the compromised website) must be able to identify which website the victim user is currently logged on to.

The first condition is easily achieved, since more than two million legitimate websites are known to be compromised by criminals, and hundreds more are being compromised every day. Each one of them can be used as a base for this attack.

Once the website is compromised, the attacker injects code into the website. This code does not change the appearance of the website and does not download malware to the user’s PC.

Therefore it is very hard to detect.  This code is designed to search for online banking websites that visitors are currently logged onto, and present them with a pop-up that claims to be from the banking website they are logged on to. These pop ups ask for log-in and personal information.

Therefore once again, I state for the record: "NEVER type your PAN or your PIN into a web browser...

Is it Safe? Know...NO...Know!

PIN Debit Payments Blog -JBF