Phishers Exploit XSS Flaw to Operate Banking Scam
Internet services company, Netcraft, based in Bath, warns that an 'extremely convincing' phishing scam is exploiting the name of a legitimate Italian banking website, Banca Fideuram, proving how cross-site scripting flaws could make it almost impossible to detect phishing attacks.
According to Netcraft, the attack aims at Banca Fideuram to reach users through the typical route of a genuine-looking e-mail in the pretext of asking recipients to log onto the bank's website.
The attack is different in that it is executed on the website of the bank itself, while it uses a real SSL certificate that Banca Fideuram has been issued. The e-mail, according to Netcraft, embeds a crafty URL that exploits an XSS or cross-site scripting vulnerability to insert a login form with modifications onto the login page of the bank's site.
According to Paul Mutton, Handler of Netcraft, the attack underlines the seriousness of implications XSS vulnerabilities impose on banking sites. Netcraft published Mutton's statement in the second week of January 2008. Mutton added that the attack shows how display of 'https' in the beginning of a URL address does not guarantee security, neither does a check for the correct domain name on the address bar of the browser.
Netcraft said that it has informed the bank about the attack affecting it and has taken down the harmful phishing site to close its access to users.
Related article: Phishers Expand Their Sphere of Attacks
» SPAMfighter News - 24-01-2008