CISSP Fix

The in-session phishing attack is a daily day hoax. This attack exploits the trust of a trusted site by intruding in mid-session in the form of a pop-up message. “Your session has timed out, please log on again” or “please reset your password” is what it might state. Since it appears to be originating from the trusted site, the victim complies, sending login credentials not to the trusted server but to the bad guys.

Click here for more information.

We have to be more vigilant when using protected sites. We cannot assume that crossing the front door equates to a perpetually safe session until you log out. Web browsers need to start verifying the source of pop-ups, and allow users to check the validity of pop-ups. But pop-ups would be personally verified probably as often as SSL certificates are currently.

Unfortunately this added vigilence is akin to checking every room and looking around corners even when you’re home! And this could prove to be too much for the average user. Let’s hope a technical solution arrives soon.