New Phishing Technique Works on Multiple Browsers
Multiple financial and other sites are subject to a cross-site scripting attack. HTTPS sites reportedly are just as vulnerable.A British Web developer has revealed a new form of a cross-site scripting, or XSS, attack that facilitates phishing activities. The attack, demonstrated by the developer on his own site, allows an attacker to execute scripts in the context of another Web site. Testing by eWEEK.com indicates that the attack works on both Internet Explorer on Windows XP with Service Pack 2 (Release Candidate 2) and on the Mozilla Firefox 0.9.1 browser. After executing the attack, the user is brought to a Web page running on the victim site (a banking site, for example), but incorporating script from the attacker site. The main, obvious effect of the attack is that the page appears to be running in the victim site, but is incorporating elements from the attacker site. An attacker could therefore use the technique to persuade a user to provide personal information. The effect is more difficult to detect by casual observation than many other previous phishing techniques.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.