Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


New Phishing Technique Works on Multiple Browsers



 By: Larry Seltzer
2004-07-19
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Multiple financial and other sites are subject to a cross-site scripting attack. HTTPS sites reportedly are just as vulnerable.

A British Web developer has revealed a new form of a cross-site scripting, or XSS, attack that facilitates phishing activities.

The attack, demonstrated by the developer on his own site, allows an attacker to execute scripts in the context of another Web site. Testing by eWEEK.com indicates that the attack works on both Internet Explorer on Windows XP with Service Pack 2 (Release Candidate 2) and on the Mozilla Firefox 0.9.1 browser.

After executing the attack, the user is brought to a Web page running on the victim site (a banking site, for example), but incorporating script from the attacker site. The main, obvious effect of the attack is that the page appears to be running in the victim site, but is incorporating elements from the attacker site. An attacker could therefore use the technique to persuade a user to provide personal information. The effect is more difficult to detect by casual observation than many other previous phishing techniques.

Resource Library:

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

According to an analysis of the technique by British security consulting firm Netcraft, "Having the ability to run their code from the financial institutions own site is a big step forward for fraudsters, as it makes their attack much more plausible, and will almost certainly lead fraudsters to seek out banking sites vulnerable to cross site scripting as a refinement on current phishing attacks which depend upon obscuring the true location of a window prompting for bank account authentication details."

Cross-site scripting attacks have been a hot item recently in security circles, but usually as a way to run scripts in the local machine context for a browser user and attack that computer. Using it against a Web site to spoof that site is new.

Netcraft adds: "Although cross-site scripting has been a well known technique for over four years, it is an easy mistake for programmers to make, and can be an awkward one to test thoroughly."

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page



  Reader Comments: New Phishing Technique Works on Multiple Browsers
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


xr㶲0;; ʷ♵MR-b[^f&uTI)|IzgyoHIL}A4ЍFh|GggD0 pE1>yΤ.w}!ߛF0mTE[ Ϡ^ȈZ#}wu9;;#|6%}w ^{j" KԜL`&F]ٜ7'x2 Xm 8d{=BeIG6 !%>֥qȏ} c! ߷8|}؁䛿S=|e3g71m CT%h!1Q?C= fw^B(ƻF{ikdh9[*v_e ۭAx)B(#"FτwKA%˙8Iؓ&IuhluD`iRi13 LeCÑc3;r,ǃV TQ3c}fZ3uk-3@ؾQ̀ ᙑEuL_FBԿ$¥0 X#vRB'lǦ" 'e5]v9s8 sz7 wZeNXj%o~cn! :r<=0;DL=:n/EÙÌ6mѦ2Q}?-~k~>E,3sA4 ̠+`W:+19jqszr|qӹotUT7o`2 f4 ]p a4FALu&h)5?&Țb.L2o2|)=}R—^(P!P샖_. jΫTwEQQ#w=^fA.r)i" 6=aLTt/n.b?G .΃awWڲ9Q[ kK\MޢG\zcOVu.~hzm+>cq4Y`A-. 8ǹ:zStjt ~^[oeoaG-dj`qaeJݠc}nEw~6aϨ>s|궝x>:AGAticŦh4@MMrӇtu@>+GݺzLnXŞ+ Qm}0C5m|&>ld$4(sw[LL/ JCˋ0P= 2/?>a9N@FܧP}MrA=39nZдc@քMGYS9=L{"z [q37oj7ab#c>l~9)4+9p4C}52{B[`rFVedң!}?p*JNC_kVzq}n7MAV?Ry |;p‡9E#rUϚX 5<9.&B#57:Q O`ChJ**$,T4)ŠpdjKݸ^`"3hqNNRЙB#@9zQ=/OJb-yhjjfIT*{a]hk%R7BjάkΌQWT(RtsiŰ,Bl6<E9̆ɨ~Mܛw\ReeZȔeY;+5mZ/}sf8 , J; HIJ6*SXSqn '[arShfh:6-EN6R^ z0kt;ٰZQJ1I 6D ȸau-Ce0:Ģ\Q߀+%E&>5 cd]<"+ڂi0A  ~HLb2hp \@U.)L19j 2b*PTB$ftW߂ĒbtXQ =:{}Qː 0gted-> IV/굘zrhUUjV9 D+/yWG"MtH_⬯?p,S~q6Fe Y: ~_^:Jdw%UXY1f-1?0ؙ"yl#/ÊTU9+i fR9&}F'ʂX hjO OQGA.C{a&:`JTndІ{egjڳt_KtwTI |qCW&sB[dEκԴ':*5P6>*0GnG=WK$XGv#3ga6j UK*~e;' "덿KAG^320"C;wF!v¬I1\ܷ VuPB7gmE{H^ac7U[@oF)'/ZW&h6>s}&mnj^[uo1wY|VRDsͳi atx/ V$85ѣ4H>׉gQcM8 /jhtUM$P}2hSYpQ5c; [LY6JL߼AFp5xb==#}t;w ܱ W!SD91^% .ɹ%wA2@X;V-(7ϙ40p2Y=](lY|_ۯ|l6c9 hr1m} #"#NR ̍e?z#ovթTjVgHU*A:erȗ?fnu, 2N<ݠ1p N,i=$>JS-Rtqy-NnZTrTS+JBЛgQ!ݓ[m2B02hs)p}/O&PFͧzM%q4wI#̸yF0.Ɨ!skgO̦w0@mlJw޺ Lzu$I<+ojMn@uztCʪ+> 2.izIRϢsG&:Lpz]Qd:)nQ==Mn@h# &w|}AU w>eM+v@lkZpwG4 3 GFeѓeO.'-WJ_0YH/s>PV9k۷BlpH74mCXp| ^_H{c, ,"zJ3.=2a7R^ gF Dccb^n.A+P[/I6S0:;_Fhϼ1V̶R6BΏ])|n:'R6i/.:_t?:N!9kw> {>gq ,}U\u@*-|~<:m~1} LAIP 4 7?$iCOճ2urҹ(]: yp0Z<!hXw/Υq{e[J:^[j܃Z睏,= YE#B[ȧnjLo2XGzi4rG/ ^!-!PR2.5g ^|%֓}Xr!sdQ3hL~;+*a Bf-.3b!bNg<ևAPC{ r H)'4 'yKt;3Ğw[}h!:Ua2"(BS.il'u3xv>^8Sj7 EW%'k;t{-&:}mF1џ`m %cAdQ+F+9eI'Ϥ{GH߉ NAN9os_iפuja~%X@R;#|$~1xGM{uS棏G 9+3rĸE}l(=ht[x_?H+I턟yc(!OhSϏ$٘&BERTUuklko(+*sᔤ˞vCȔXN GXd1 0d&zvA Js{ĶQ[sgc?v}E<ǚuo2i~=z» icVD)]Kĵ"vW+ TOڢE%:m֗Bݽ]vV !bi4V3XT=}{fvÏ9&i N;x1tY AAXE !V lKG s8PzpvvƔI i#ĠH)ޙɳ4 E _56Dea' FYOC,' ?/!IFܱSo-*oO_Oo*N{cE|3̕ u\ kM_U_s ߘP߅?\=3q x FГqi+"@wыK-1-]M:d|:3mXY?5u9fNzV=(}ILN8y0_Bd&AW+&j̹r ׄ ̠@-rF)mXi겎tD~ CX?ˌ2B-&>Nkb_bl {3`;nR}r-ސ,WxDdIJ]y/wvA (qmmR/8E/e$[cDHnk.2VLM,UV)\$5%z\3*G!p8ڢA""~#]Z,JH3 "- V)+ .M;A/li ԥaJ4^ڜېA:^dW\{IWPobYҍ0I" t9>&D"*FXlqv8p@7 v7aPnP'TiJTy ɲ=[WY awUnHeYRj>y.۴s[1Z`β K'Z:}4 ۍ]`2~TMX ᠅f+Wb!Ajyc[U%e_*Py0Xa`*Nu'; .]SOQ<3,5erW-[`¥Z Q o^^!Ms!lŰJj}S-89,f(]W Xsg~[28pH;yz[l%"#q[V$)3U^b1&ұԝRץ61X9씄D$[WĤPoCHnn[cKRQ7e3%P !C>J'GaMɫb{JbxVxFn(RپԲ8r͒ Fw$]t`z,gZȄA&Đ%:\[I0oL Ml>OXe Ȗhn]eC<rIScUj`|0L6C HD+*@<IzI 44TmCvz1gf)| Y $Qٯ*{ySMYV6s7ؗwf^?w7@}| %sNGIEgb;򥤕zm?c9' >;+s[?Œ[ 4j>F򻤟~sT~sT~sT~sTqGeEꥷ\TpcFgteMeswGm,w5gQ?cmð #yZ=9R"1*vIjËX0N͈&p#74[)Mڎ3э*AI0?EX+~p@ZD"X+B-{a:_yxa"f~jm!S95,3+:ȈEm)jomg GҺ8V3)]@;egϼ7TbM &p둍&ݵ5׾>Y ^FVUK?!u{3B Ɵ8O0D.fVɟnJ-tJ^yCщd/U428a^ q! pfw5Tn./ x/3qʃV+= ?cbş oAzk\ts=quS.EzK\"śK1ŗ@y9rO|kvk E䛙u(Am`Zd;wtLHj~6b+@M 6|[`8+ċN򽧻. {EˮF̊9wt)Rn'1}ļل=z( LRce։Ka+I錃ql I_BXgL4 +xj([N0F=|9;b98X"O=@1:.3hΝc(jXO_&/Em/!U9%<´/cT"v?xrN}QyZsʉmOXxMMq`z4BX@{$UPخ18!$9pEl>zu5F?P9E=;M>DNtQk"t]P6i<;@b*bFyA y!Fv;Kb+nI7Q{$qp+ĻVAXFb"֪Y"'"KIEVЮ(> l?. dБ1=^Rl&vn-& \95͒Er 41ެՔ}ub?=G/ttAk-c"]I1xy[/Ò+5fLC6P;lNz yԥ:BM7Ew1TUBhr)=07נ763#6z^C Kk&ݍ'j];̈́W[|W@O[j≠D37{u&CKoW#On@Gӡg1E8a<܉'fdهn-&~iXm>H'*t=jh DФJ fzVCTj~w(/1 .đպԴzYܣ@VT82ikMMQZ#xoׅ9K{'}^pYXkO:Rga^1`^hR¼{nI;..2Hу%)2J\dI>HP)$6a? ~Al9 c=ZF]O ^a;A89g}s^+jL6Z>Ny6irBg+vl"mknnBzTB}F}gzW'b^o90ch+,9+ߛt0̊ۊo4Jۅ]aiJ %0Grۺm{6A聎Ds)i~RBH,*=9`Vݏ1li&kJ \0] q&F&#ZKiJ;#4ƿFxA1K= o~{@\ۛr q,-D||z['AU}H?Km19hb#^( =!`NvV\oz~}C{ =GgD&#xwtq-?E~s#蘱>G6$ER+ ;wA, v#^ֽ?C7L>Y \Q-r9G}8ϷF˞0Iݹa?Ðs{cLZ"`R1@Q>s uǤ' 45`Bx$ld DpsV*2mDRRact05g3bwr]G,/Gt/ss%zH"V|8snj=J" rWH_$ FK|!ET&}fA??&~eKL)awSos# h_Zl0˝ :Lma`t.t?àq?] gƁAffpRt\j:rtԨ)ʞ*|{C` > YDeb@Ԑ0~($Ѕ:y,@#!9ωK1#eúޝ#_F`p3W VjMOBӁRs]j%qv\]xàYU^*_ӄ^I+BI] / (HZ W{PɺxGu0 }a3brOuvY ZWW_iuMzzם~{IH5m+LJy22 6Sr?XԞpm.4 EpɃwᝧ%;飱8/ı3~|JW6joLl+=vS+~k!?{Չt.5]r9ZO-̢iQ`1D'MMo )n}>e Mj^+Q_:v<)))pj+ ݜr~v झS~ @|OP)Shu;'f$g:9NNrʿ@sfE\9_<@ߋ^}.rs_yß92zg(S~g9_@EN9e^\%euݜwAtsOK7G\\Կʩ s?=__PO_r3+>9~7P~W{ÿ7MN779$)gVpv*esS^)4rR}WWKӜ}(gUsVnVa{CjgU_/Gޫ@/q>su=I+ťW*7KL7L1nv}חG{1Pi +{J/y@W4<< X9rnmu"[~|^C{>k'K *8 ߜ:Sw߽,RK|c ,>Oa45D =C9}34]M7nPom DLԍ21A |(U˚VVk[*j 6 ##DdU:[UJ0X\/s>P`24UJ` Њz!J1 =4c֭dKo1;BDO"У/ Ůbe"jf2ȢȗጝWv,P@0~Y8P*`!I؞:F^͇$rfgLߟcc 6&%dfډ5 u̿O6&p&vi ob f+g- تGШswӦ;,9J鮠WdLdp!gB-ҋKt@eDK*1Ã6i Q;|sst˭d<@T6? 9@/ _.c˃a.yCw]`bLׇ^" (luy9M".ipx@\q^f|1h_Ժ׃4b H,'g@诿J`Xkt JV7B3Zfr{^f$jA+_ac˙Z. S@8>cc>H[8=ۺ9l؆"0wUW-ea~K5 D 9bW ?1X3!?ccITǓx `⟐|e'W`'cEx&bb P|_|nvhyC͞ޣfs(K;>LV\s7F%؉GGC߱iB 0 ~ł霰7RFX`n犱LZԝ:6Zd9\7_>%Ͷ U ^{ #E3dưz<RƠC)e h km!tZзkdY9Hr&zU h$.7=j"6: gC“J'u{[/&XT”sm1vZVA>D0)n93[T:9Am'{.4_܅iUhHl[:ֵd2- Ƶ \cwwX\Sbz:SAW (|x@loM[^-jLīc *|?Oe Lt8?B&s`ܐ}olI CO?Fu:hY W960-  `⎈MMi֘9DR*,Dl'f , ~93_O 稅WvwY^|:y-E{ heӕx" ׁ]!Kb {|ėJrcd+{f:PEXl+!R +7`/=H]{+8ǩ3bhwq#b uu+e!.1:3O.XU\(s5lB-`j[mEtAxm;=͙=/l+k[؁nd* kwxur!}đ׈,,L[O ChXrE"ҁ )Q~ mfK#fE [Rj2 19,OxI1%h3l䓈mAb ?+2GxDh\"?㡺_0U9s, j3+TcdX$֬LE")s1GN=zk|FXKc.&Ա`=br8Lte4Q3|JKm)胋Ƚgz`>.<((`,Lv"VTHjMΡmlqR!acT 1L8,RY7Wv!{ZyƋ|_ E>WNENE<<Sf )E|iORdv=,Mӝo3a-d4džIkckj*J#2(