Phishing remains pretty much synonymous with “cyber attacks” as bad actors work any angle they can to gain unauthorized access to sensitive data. One newer and more advanced form of phishing is in-session phishing, which can be harmful due to its ability to exploit active user sessions.
Here are the details.
What is In-Session Phishing?
In-session phishing is a type of attack where cybercriminals target users during an active online session. That is, often occurring when the user is logged into a secure service, such as online banking, email, or e-commerce platforms.
Unlike traditional phishing – where attackers lure users into entering their credentials on fake websites – in-session phishing involves intercepting and manipulating the communication between the user and the legitimate service they’re using in real time.
In-Session Phishing Vs. Traditional Phishing
To appreciate the danger of in-session phishing, let’s expand on how it contrasts with traditional phishing.
Traditional phishing typically involves tricking users into visiting a fraudulent website that mimics a legitimate service. Users unknowingly enter their credentials, which are then captured by the attacker. The limitation here is that traditional phishing often fails against robust security measures like Two-Factor Authentication (2FA), as the attacker only gains the user’s password but not the second factor needed to successfully “phish.”
In-session phishing, on the other hand, is more sophisticated, and involves man-in-the-middle (MitM) tactic, where the attacker intercepts the communication between the user and the legitimate service during an active session.
For example, one can be logged into their online banking account, and an attacker might use a tool like Evilginx to create a proxy that sits between that user and the bank’s website. As the user interacts with their bank, the attacker can intercept the session, capturing sensitive information like authentication tokens and session cookies to bypass security measures like Two-Factor Authentication (2FA) and gain full access to the account (effectively taking over your session without you even realizing it).
Learn more about the different methods hackers use to bypass MFA
Protecting Against In-Session Phishing
Given the sophistication of in-session phishing, users and organizations must adopt both basic and advanced security practices, which might include:
Verifying URLs
Always double-check the URL before entering credentials. Ensure the site uses HTTPS and be cautious of domain name discrepancies. With a tool like CheckPhish, you can scan suspicious URLs to see if they’re potentially harmful or not.
Use Strong, Unique Passwords
In-session phishing often involves attackers attempting to hijack active sessions after gaining initial access through various means, including compromised credentials. If an attacker has already stolen your credentials through a previous breach or phishing attempt, they may attempt to exploit these in an active session.
So, by using strong, unique passwords generated and stored by a password manager, you significantly reduce the risk of these credentials being compromised in the first place.
Implement Robust Multi-Factor Authentication
Use MFA methods that go beyond SMS or email-based authentication, such as hardware tokens or authentication apps, which provide higher security.
An example would be using a hardware token like a YubiKey, which generates a unique code that must be physically present and connected to your device to authenticate. Unlike SMS-based MFA, which can be intercepted by attackers through SIM swapping or man-in-the-middle attacks, a hardware token provides an extra layer of security by requiring something you physically possess, making it much harder for attackers to bypass.
Monitor & Update
Regularly review account activity and enable alerts for login attempts from unfamiliar devices or locations. Plus, you’ll want to keep your operating system, browser, and security software up-to-date to help protect against vulnerabilities that may be exploited in in-session phishing attacks.
Last, implementing VPNs, firewalls, and other network security measures can add an additional layer of protection against phishing attacks.
A Moving Target
In-session phishing, exemplified by tools like Evilginx, represents a dangerous evolution in phishing tactics, capable of bypassing even the most sophisticated security measures like 2FA.
Understanding how these attacks work and adopting advanced security practices are essential steps in safeguarding against this growing threat in the digital landscape.
