[WEB SECURITY] XSS-Phishing on Financial Sites (Tip of the iceberg)

Jeremiah Grossman jeremiah at whitehatsec.com
Fri Jun 23 13:53:35 EDT 2006


On the heals of the Paypal-XSS Phishing article...

Robert Auger (cgisecurity.com) pointed me to another timely article  
about Phishing attacks using XSS vulnerabilities [1]. The reporter  
does a good job of describing the finer details (with screenshots) on  
why the technique is so effective. The reporter even called out   
Visa.com, JPMorganChase.com, eBay, Nasdaq.com, BankofAmerica.com,  
American Express, Barclays, Microsoft.com as having XSS (details  
withheld).  Unsurprising since we know just about every website out  
there has XSS. These are same techniques I described during last  
years Black Hat presentation "Phishing with Superbait" [2] and we can  
expect a lot more of the same in the coming year.

While Phishing is one possible angle to XSS, new avenues of attack  
are emerging that are increasingly similar to the general  
capabilities of todays malware. Threats far more dangerous than we  
originally anticipated when we began researching XSS years ago. For  
instance when you visit a website (even a trusted website) the page  
port scans your network and reconfigures your DSL/Router from the  
inside. This will be the subject matter my talk this year at BH  
"Hacking Intranet Websites from the Outside".

I think it was Bruce Schneier who said attacks always get better,  
never worse. The same holds true here.


[1] Flaws in Financial Sites Aid Scammers
http://blog.washingtonpost.com/securityfix/2006/06/ 
flaws_in_financial_sites_aid_s.html

[2] Phishing with Superbait
http://www.whitehatsec.com/presentations/phishing_superbait.pdf


Regards,

Jeremiah Grossman
Founder and CTO
WhiteHat Security, Inc.
www.whitehatsec.com




----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list