Most Popular

• How to Create a Self Signed Certificate in IIS 7
• How to Create a Self Signed Certificate using Java Keytool
• SSL Host Headers in IIS 7
• How to use SSL Certificates with Exchange 2007
• More Discussion About How Firefox 3 Handles SSL Certificates

Login:

Italian Bank's XSS Opportunity Seized by Fraudsters

A very convincing phishing attack used a cross-site scripting  (XSS) vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. The attack uses a special URL to a vulnerable page on the bank's website. It loads a special iFrame into a page that looks authentic because of the https and lock icon.

It was noted by NetCraft:

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

Italian Bank's XSS Opportunity Seized by Fraudsters - [NetCraft]

Google also recently reported about Malicious Content Injection on their Online Security blog.

Digg del.icio.us Reddit

Write a comment

Name:
Email: (not published)
Subject:
Comment:

Security Code:
 

Post Comment