Phishing PopUps- Fake Requests for Personal Financial Information
What are Phishing Pop-ups?
Many browsers make use of tabs and popup windows. But how do you know if the
contents of the popup belong to the company identified on it?
Secunia, a web security company, recently issued a
security report detailing how most major web browsers with the
tabbed browsing feature (what
is this?) were susceptible to two different weaknesses that
phishers are now exploiting.
Which browsers are at risk?
The browsers identified in the
Avant Browser 9.02 build 101 and 10.0 build
Maxthon (MyIE2) 1.1.039
Mozilla Firefox 0.10.1
The only platform not a risk (which is a surprise, given its past track
record) is Microsoft's Internet Explorer; probably only because
IE doesn't even support tabs.
How Does the Scam Work?
There are two main methods employed:
A popup appears that is from a company that you have open in another tab
You may have several tabs or windows open with several different
websites; for example, PayPal, Google, Amazon.com and Ebay. Suddenly a popup
box opens, that looks like it is from PayPal, and it asks you, "for
verification purposes", to enter your password and
your credit card information. It may not have been from PayPal at all, and
you just gave the crooks your details. For an example of this, visit the
demo site at Secunia
using one of the browsers in the list above and follow the instructions.
They are able to do this because the browser doesn't tell the user which tab
is responsible for the popup box, and inactive tabs are allowed to spawn
- A login form or site's form appears not to be working
You may have several tabs or windows open with several different websites;
for example, PayPal, Google, Amazon.com and Ebay. You encounter a login form
on one of the sites; nothing unusual there. You type in your username and password, but
nothing shows up. So, you re-enter the information. But, still nothing. You
may just assume that the website has temporarily stopped working, so you
close the window and carry one elsewhere. but what may have happened is that
everything you typed actually went into a form
on a site found on one of the other open tabs. For a
for this, click on the link!
What Can you Do to Protect Yourself from this Phishing Theft
- Doesn't use the tab feature for sites with sensitive information - Obviously, since this problem only occurs in tabbed browsers, you could avoid
them... but the other browsers have different problems. Another solution is to
only open sensitive websites in their own windows; not in a separate tab of an
- Another simple solution is a browser plug-in from
Netcraft that displays information about the site being visited, such as
its geographic location. This won't prevent the popup, but If you notice
that your bank's site is being provided from Nigeria, you can assume that it
is not legitimate. Click
here to read more about the Netcraft toolbar.
- Be suspicious if a popup asks for your personal information.
- Act immediately if you've been hooked by a phisher. If you provided account numbers, PINs, or passwords to a phisher, notify
the companies with whom you have the accounts right away. For
information about how to put a "fraud alert" on your files at the credit
reporting bureaus and other advice for ID theft victims, contact the
Federal Trade Commission's ID Theft Clearinghouse,
www.consumer.gov/idtheft or toll-free, 877-438-4338. The TDD number
- See our What to do, if you
think you have been the victim of identity theft page!
- Even if you didn't get hooked, report phishing. Tell the company or agency that the phisher was impersonating. You can
also report the problem to law enforcement agencies through the National
Fraud Information Center/Internet Fraud Watch,
www.fraud.org or 800-876-7060, TDD 202-835-0778. The information you
provide helps to stop identity theft.
Reporting a Possible Phishing Attack
If you need advice about an Internet or online
solicitation, or you want to report a possible scam, use the
Reporting Form or call the NFIC hotline at 1-800-876-7060
For More Information About Phishing, See: