HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

News of Michael Jackson's death blazes across the web--what if it were a hoax?

Over at the SEOmozBlog, Danny Dover has a really interesting post about how, and how fast, the news of Michael Jackson's death travelled across the web. I won't go through it here, but it's a fascinating read. Less than an hour after the 911 call the news was appearing on the web. Less than three hours after the call and Twitter was a little sluggish with all the happenings (approximately 1500 mentions per minute of Michael Jackson's death), whereas MSNBC, the first "traditional" news organization to confirm his death, was just posting the first confirmation.

So what does this have to do with security, really? Well, not much on the face. But this information travelled so amazingly fast, I couldn't help but wonder what would have happened if it were all a big fake--if the earliest source(s) of information on this story were either made up or placed with malicious intent by insiders or hackers? It seems to me that a well-orchestrated hoax might get picked up by some minor celebrity news sites, then a few larger ones, maybe Digg, and from there the Twitter blaze seems inevitable. How many users could be duped into following links to a "story" (through bit.ly or tinyurl.com of course) before it can be investigated, denied and squashed? I'm betting a lot.

We have read countless stories of scammers/spammers/phishers using hot news stories (Iran, for example) in order to drive traffic to their malware, but have there been any instances of them faking potentially hot news for this purpose? I'd love to hear of any that have already happened--but if there are none, I'm betting one will be here soon.

Labels: Malware| phishing

XSS+phishing in Italian bank hack

Netcraft is reporting today about a phishing attack leveraging XSS  against an Italian bank. From the article (emphasis mine)

An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

If this sounds familiar, it should. I gave a talk at Toorcon 2005, the Phuture of Phishing. This focused exclusively on current phishing techniques and defense and how XSS vulnerabilities takes phishing to a completely new level. From the slide 24 of the preso:

  • Current Phishing attacks revolves around deceiving the user into think a website is a different website.
  • Current Phishing defense revolves around:
    • Applications preventing HTML from deliberately hiding functionality or actions of links and script
    • Determining fundamental stats about a site to see if it truly is the site it claims to be
  • But what happens if the phishing site was the actual website?

Exactly! XSS vulnerabilities turns a banks website into the phishing site. SSL certs, reputation systems, DNS checks, blacklists, and other phishing defenses utter fail to handle XSS+phishing.

I'm certainly not the only one banging this drum. Jeremiah Grossman predates me by a few months with a good presentation about XSS+phishing. I've had a friendly battle running with Lance James for a few years now about the role of local malware vs. website XSS in the future of phishing.

This certainly isn't the first XSS+phishing attack reported in the press. It wouldn't be the last. Hopefully attacks like this will raise awareness about the dangers of XSS. Remember, XSS isn't just cookie theft, or just key logging, or just page vandalism; XSS is complete client-side code execution!

Labels: hacked| phishing| XSS
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.