Italian Bank's XSS Opportunity Seized by Fraudsters

A very convincing phishing attack used a cross-site scripting  (XSS) vulnerability on an Italian Bank's own website to attempt to steal customers' bank account details. The attack uses a special URL to a vulnerable page on the bank's website. It loads a special iFrame into a page that looks authentic because of the https and lock icon.

It was noted by NetCraft:

This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of "https" at the start of a URL, or checking that the browser address bar contains the correct domain name.

Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates - while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site - included Extended Validation certificates - would display a padlock icon and apparently assure the user that the injected login form is genuine.

Italian Bank's XSS Opportunity Seized by Fraudsters - [NetCraft]

Google also recently reported about Malicious Content Injection on their Online Security blog.

Originally posted on Sun Feb 10, 2008