More reasons to love Flash
Tputh.com pointed to the following site, which is now down:
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack
You, can, of course, get Google’s cached version here:
http://webcache.googleusercontent.com/search?q=cache:Z4lufF2NUowJ:www.azarask.in/blog/post/a-new-type-of-phishing-attack/+http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/&cd=1&hl=en&ct=clnk&gl=us&client=safari
Aza Raskin, Creative Lead of Firefox, describes a trojan horse attack whereby the scripts on an ostensibly innocuous site wait to see when you have started looking elsewhere (navigate to other tabs, other open windows, etc.), and when this is detected, the content on the site is replaced with a lookalike of a login window for gmail, facebook, online banking, whatever it detects that you use and currently have open. When you “log in” to the service, the site just forwards you to the real site, where you are still logged in as before, so it will appear that you have successfully re-logged in. But now the phishing site has your credentials, and you are none the wiser.
Here’s the money quote:
Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behavior only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect.
Yeah, the point is that your site doesn’t have to be the bad site … if you have a Flash script, say, from an advertiser that you don’t know well, that script could be the one to take over the session. Woo hoo! I agree with his conclusion:
… it’s time for the browser to take a more active role in being your smart user agent; one that knows who you are and keeps your identity, information, and credentials safe.
Or, you know, just disable Flash. Or buy an iPad.
