It's a new year and — what do you know — there's a new tactic in the endless quest for new and improved phishing schemes from scammers.

Here's How It Works

Researchers at Trusteer recently released a security advisory detailing this new phishing technique. Rather than using email to lure unsuspecting victims into clicking over to a fake web site, this technique uses what Trusteer is calling "in-session" attacks. Here's a typical scenario:

* A user opens a browser and logs into their banking web site
* Leaving that browser session open, they open another browser window to check on their Webkinz or some other web pursuit.
* After a time, a pop-up window opens — supposedly from their bank web site — asking for them to re-enter their username and password.
* Since the user has recently logged in to the targeted web site, they are more likely to enter their info.

That's it! Their login credentials are now in the hands of the scammers.

What Makes It Possible?

A few things have to be in place for this to work. First, the scammers need a compromised web server in order to install the malware. Fortunately, there are lots of those around. Second, the malware has to be able to determine which other sites the user has visited. This is possible based on a vulnerability in the JavaScript engine used by Internet Explorer, Firefox, Safari, and Chrome.

From Trusteer:

The source of the vulnerability is a specific JavaScript function. When this function is called it leaves a temporary footprint on the computer and any other website can identify this footprint. Websites that use this function in a certain way are traceable. Many websites, including financial institutions, online retailers, social networking websites, gaming, and gambling websites use this function and can be traced.

How Can You Protect Yourself?

Well, the planets have to align a bit to pull this scam off and it's likely the JavaScript vulnerability will be patched in the near (hopefully) future.

Until then, Trusteer recommends the following preventative measures:

* Have an up-to-date anti-virus installed
* Be suspicious of any pop-ups asking you to login

and most of all...
* Log out of banking or other sensitive sites before heading over to Pogo.com for your bingo fix.

Learn more about this attack by downloading Trusteer's security advisory http://www.trusteer.com/files/In-session-phishing-advisory-2.pdf