Phishing

Netcraft, one of the leading authorities on phising research, reports a Phishing scam that involves XSS.

Poste Italiane seems to have relocated to a brand new location online, in this case the U.K's Crime Reduction Portal which is currently hosting a phishing page.

Additional information:

• U.K's Crime Reduction Portal Hosting Phishing Pages [Dancho Danchev, Jun 2 2008]

The SVP National Police Academy in Hyderabad, India has had some sort of compromise on their website resulting in a Bank of America phishing site operating on one of their servers.

It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest.

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

Additional information:

• Google's Advanced Search Operators Abused by Spammers [Symantec Response Team, Nov 2 2007]

An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.

Additional information:

• Alert - Yahoo! Webmail XSS [Cesar Cerrudo, Argeniss, Apr 17 2006]
• Alert - Yahoo! Mail XSS vulnerability [Cesar Cerrudo, Argeniss, Apr 28 2006]

Phishing based on XSS

Additional information:

• Phishers Manipulate SunTrust Site to Steal Data [NetCraft, Sep 28 2004]