XSS+phishing in Italian bank hack

Netcraft is reporting today about a phishing attack leveraging XSS  against an Italian bank. From the article (emphasis mine)

An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank's login page.

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

If this sounds familiar, it should. I gave a talk at Toorcon 2005, the Phuture of Phishing. This focused exclusively on current phishing techniques and defense and how XSS vulnerabilities takes phishing to a completely new level. From the slide 24 of the preso:

• Current Phishing attacks revolves around deceiving the user into think a website is a different website.
• Current Phishing defense revolves around:
• Applications preventing HTML from deliberately hiding functionality or actions of links and script
• Determining fundamental stats about a site to see if it truly is the site it claims to be
• But what happens if the phishing site was the actual website?

Exactly! XSS vulnerabilities turns a banks website into the phishing site. SSL certs, reputation systems, DNS checks, blacklists, and other phishing defenses utter fail to handle XSS+phishing.

I'm certainly not the only one banging this drum. Jeremiah Grossman predates me by a few months with a good presentation about XSS+phishing. I've had a friendly battle running with Lance James for a few years now about the role of local malware vs. website XSS in the future of phishing.

This certainly isn't the first XSS+phishing attack reported in the press. It wouldn't be the last. Hopefully attacks like this will raise awareness about the dangers of XSS. Remember, XSS isn't just cookie theft, or just key logging, or just page vandalism; XSS is complete client-side code execution!