A BUG FOUND in all major browsers could make it easier for criminals to steal online banking credentials using a new type of attack called "in-session phishing," according to researchers at security vendor Trusteer.

In a traditional phishing attack, the scammers send out millions of phony e-mail messages disguised to look like they come from banks or online pay¬ment companies. Those are often blocked by spam-fil¬tering software, but with in-session phishing, the e-mail message is taken out of the equation, replaced by a pop¬up browser window.

Here's how an attack would work: The bad guys would hack legitimate Web site and plant HTML code that looks like a pop-up security alert window. The pop-up would then ask for password and login information, and possibly answer other security questions used by the banks to verify the identity of their customers.

But thanks to a bug found in JavaScript engines of most browsers, there is a way to make this more believable, said Amit Klein, Trusteer's chief technology officer.
Klein has notified browser makers and expects the bug will get patched.

Until then, criminals who discover the flaw could write code that checks whether Web surfers are logged into. "Instead of just popping up this random phishing message, an attacker can get more sophisticated by probing and finding out whether the user is currently logged in," he said. Klein said his technique doesn't always work but it can be used on many sites including banks, on-line retailers, gaming and social networking sites.