In-session phishing

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In-session phishing is a form of phishing attack which relies on one web browsing session being able to detect the presence of another session (such as a visit to an online banking website) on the same web browser, and to then launch a pop-up window that pretends to have been opened from the targeted session. This pop-up window, which the user now believes to be part of the targeted session, is then used to steal user data in the same way as with other phishing attacks.

The advantage of in-session phishing to the attacker is that it does not need the targeted website to be compromised in any way, relying instead on a combination of data leakage within the web browser, the capacity of web browsers to run active content, the ability of modern web browsers to support more than one session at a time, and social engineering of the user.

The technique was originally documented by Amit Klein, CTO of security vendor Trusteer, Ltd.[1]


Initial process of how phishers prepare the ground for their attacks. Phishing attacks can be subdivided into three phases:[2]

  • Creation of a bogus web site that mimics the website of the bank that is the target of the attack.
  • Uploading of the web page onto one's own site or else the compromising of an existing site.
  • Mass emailing to lure the unwary to the bogus site.

Using the combination of all three techniques allows the attacker to carry out his plan. The attack's success, however, depends on factors such as; credibility of the site, contents of the email message, and the user's critical analysis capacity and IT proficiency.


  1. ^ "Archived copy" (PDF). Archived from the original (PDF) on 2009-01-22. Retrieved 2009-01-20. 
  2. ^ "Phishing in depth". Network Security. 2009: 19–20. doi:10.1016/S1353-4858(09)70055-8. 

External links[edit]