Italian Bank's XSS Opportunity Seized by Fraudsters

A very convincing phishing attack used a cross-site scripting  (XSS) vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. The attack uses a special URL to a vulnerable page on the bank's website. It loads a special iFrame into a page that looks authentic because of the https and lock icon.

It was noted by NetCraft:

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

Italian Bank's XSS Opportunity Seized by Fraudsters - [NetCraft]

Google also recently reported about Malicious Content Injection on their Online Security blog.

 Digg  del.icio.us  Reddit

Posted on February 08, 2008

Write a comment


If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
 
Post Comment