An extremely convincing phishing attack is using a cross-site scripting vulnerability on an Italian Bank’s own website to attempt to steal customers’ bank account details. Fraudsters are currently sending phishing mails which use a specially-crafted URL to inject a modified login form onto the bank’s login page.
The vulnerable page is served over SSL with a bona fide SSL certificate issued to Banca Fideuram S.p.A. in Italy. Nonetheless, the fraudsters have been able to inject an IFRAME onto the login page which loads a modified login form from a web server hosted in Taiwan.
The fraudsters’ login form presented inside the bank’s SSL page.
This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites. It shows that security cannot be guaranteed just by the presence of “https” at the start of a URL, or checking that the browser address bar contains the correct domain name.
Cross-site scripting vulnerabilities on SSL sites also undermine the purpose of SSL certificates – while the attack detailed here injects external content via an IFRAME, it is important to note that a malicious payload could also be delivered solely via the vulnerable GET parameter. In the latter case, any SSL certificate associated with the site – included Extended Validation certificates – would display a padlock icon and apparently assure the user that the injected login form is genuine.
The vulnerable page, decoding arbitrary GET parameters.
Netcraft has contacted the bank affected by this attack and blocked the phishing site for all users of the Netcraft Toolbar, and propagated the block to the companies which licence the Netcraft PhishFeed.