If you take a look at the number of tabs open in your browser, you might realize that you have way more open than you’re actually using. Some might open automatically when you open a link, whereas others may be older tabs that you haven’t closed yet. Most of us don’t pay too much attention to our open tabs as we browse, and with the evolution of browsers, operating systems, and computer hardware, our computers become more capable of handling activities such as having a dozen web pages open simultaneously.
However, what many may not realize, is that the tabs you have open may interact with one another. Plenty of sites do this using website data like cookies, which sites leave on your computer to keep track of settings, sign-ins, and advertisements shown to you. Depending on your settings, third-party websites may be able to read this information, for example the advertising data, and show you relevant content on their page. The privacy-conscious might already be on edge knowing that third parties have access to their internet activity, but this takes on another dimension when we consider in-session phishing.
What is in-session phishing?
With in-session phishing, a cyberattacker can use one active session within your browser to recognize another session within the same browser. For instance, if you have a compromised web page open in a tab, web services connected to that page may recognize if you use another tab to navigate to a banking site, or a site where you might put personal information, such as your phone number, address, or card numbers.
In such a scenario, the malicious site can launch a pop-up window that appears to come from the legitimate website in an attempt to obtain a username, password, or other information. This pop up may look just like a legitimate page, making it logical to assume that it’s from the website you just opened. This can be checked by looking at the site’s address in the top or bottom bar of your browser; if it appears to be altered from the correct domain, or a different domain all together, then it could be a product of in-session phishing.
What can I do to stay safe?
By far the most important thing you can do to protect yourself from an in-session phishing attack is to keep your browser and operating system up to date. As development teams discover methods such as in-session phishing, they patch their software to make it more difficult, or even impossible; however this doesn’t prevent attackers from finding a workaround.
Other tips include closing tabs you aren’t using anymore, as well as checking within your browser’s settings for an option to block third-party cookies or trackers, limiting what other web pages can find out about your other browsing traffic.
Cybersecurity threats are ever-evolving, and in-session phishing is just one example; if you’re curious to learn more, take a look at our blog on the other kinds of phishing. If you’re looking for a partner with whom to develop a cybersecurity strategy, Cyber Sainik can work with you to find ways to protect your business and provide you peace of mind.