SECURITY AWARENESS ALERT
OVERVIEW:
This security advisory discusses a sophisticated and highly effective phishing attack technique that is carried out while a user is in an active session with a secure banking, brokerage, or other sensitive web application.
DETAILS:
"Phishing" is by far the easiest way to steal log in credentials for accessing secure online accounts. Recently there has been evidence of a "next generation" of phishing attacks with a special focus that is being called "In-Session" attacks.
A typical attack scenario would occur as follows.
A user logs onto their online banking to perform some tasks. While still logged on the user begins to navigate to other websites or surf the web, look at email, etc. A short time later a popup appears, appearing that it is from the banking website, which asks the user to retype their username and password because the session has expired, or complete a customer satisfaction survey, or participate in a promotion, etc. Since the user had recently logged onto the banking website, he/she will likely not suspect this popup is fraudulent and thus provide the requested information which the bad guy has now "stolen" without the user knowing.
To protect yourself:
- ALWAYS "Log Off" of any password protected website when you are finished with your transactions and only enter your user name and/or password on the log in screens.
- Be extremely suspicious of popups that appear in a web session if you have not clicked on a hyperlink that would prompt you to enter the personal information.
- Know that Mother Lode Bank does not ask for any personal information in a pop up.
If you should get a popup like explained above, or is suspicious in nature, report it to the company immediately.
|
