Online Banking Session Phishing Attack via Phony Popup Messages

Online banking users should be aware of a new variation of phishing attacks. This new variation of phishing attack, called "in-session phishing," targets online banking sessions through a popup window posing as a legitimate message from the bank.

This type of phishing attack originates by infecting a legitimate banking website with malicious JavaScript code. The malware exploits weaknesses in the browser that allows the attacker to see the webpage address (URL) where the victim is logged in. Once the URL is received by the phisher, the phisher then automatically generates a popup posing as the bank. When a customer visits the online banking site and attempts to log into his account, he is instantly prompted by a malicious popup window asking the victim to retype his username and password for the site since his session has expired. If the user enters his credentials in the phony popup window, the phisher obtains the victim's login information.

Because this is a browser-based attack, the best way to defend against it is for customers to be aware of it. A few best practices in browser security include the following:

1. Users should be suspicious of unprompted popup windows that appear without clicking on a hyperlink. When logging in to Online Banking, enter your Access ID, then press "Submit." A new window will appear in which you will be prompted either to answer one of your security questions or to enter your password. Nowhere past this stage should you encounter any popup windows. If you do, please contact First Hope Bank immediately.

2. Deploy browser security tools and set security settings to disallow certain popups and scripts from running.

3. Users should always log out of online banking and other sensitive websites and accounts before navigating elsewhere online so sessions do not remain active.

For more information on maintaining your online security, please visit our "Protecting Yourself" page of online security tips.