An interesting article over on darkreading.com provides details of possible new phishing tactics recently discovered by researchers:
http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=...
In a nutshell, "the novel part of this particular method is that it doesn't involve any of the typical attack vectors we all know and love. Instead, it uses JavaScript from a remote page to detect if you have a banking site open, and prompts you for info via popup if you do." [from slashdot]
It may seem like scary stuff, but this, like most phishing attempts, targets users who don't know about (or don't practice) basic internet safety practices. And like many online vulnerabilities, user education is probably the most effective way of dealing with it. Few people don't know basic safety practices when it comes to locking their car or using their bank cards, but it will no doubt take time for these practices to become second nature to the majority of internet users. (Many of these among the 1 In 3 Windows PCs that remain unpatched against the Downadup worm.)
Until browsers prevent data sharing across multiple tabs, a few simple steps go a long way to protecting yourself:
- Use Firefox with the NoScript addon.
- Always complete your online banking and then close your banking session before moving on to other sites.
- Treat as suspicious any dialog that pops up when you haven't clicked a link.
Here's a useful little document about it form the company who conducted the research: http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf
