Phishing with Super Bait presented at BlackHatAsia 2005

by Jeremiah Grossman,

Summary : The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.