Researchers at Internet security vendor Trusteer warn that a bug they say is present in all major Web browsers could allow cyber crooks to steal users personal information via a new form of attack they’re calling in-session phishing.

Traditionally, crooks set up bogus Web sites that entice visitors to surrender their personal financial information. The visitors come to the sites as a result of spam messages that the crooks broadcast, containing deals that sould too good to be true — and, of course, are.

With in-session phishing, though, the crooks surreptitously hack into legitimate Web sites and insert code of their own that causes bogus pop-up messages to appear demanding that visitors enter user IDs, passwords, account numbers or other information before they are allowed to continue. That information is not really needed by the site, though, and is sent directly back to the crooks.

Another advantage to the crooks is that it may take some time for visitors to the legitimate sites to realize they’ve been robbed, giving the baddies more time to profit from the information they’ve stolen.

How do you protect yourself from in-session phishing attacks? Right now, the only way is to refuse to surrender any personal information at a Web site unless you are certain the site requires it to complete the business you want to conduct. Always report any new requests for information that pop up at the online banking, billing or other financial sites you use to the site administrators.

Of course, the sure way to avoid identity theft via in-session phishing is to not use online financial services. The choice is, ultimately, yours.

The full Trusteer report on in-session phishing is available at their Web site. Note: It’s in .PDF format, so you’ll need a recent version of the Adobe Acrobat Reader to view it.