mailing list archives
From: Antonio Varni <avarni () cj com>
Date: Wed, 12 May 2004 09:48:54 -0700 (PDT)
Scammer finds an XSS problem somewhere in your web application,
uses that to create a fake login/order form. If HTTPS, the "lock"
will exist and the certificate will match the URL.
On Wed, 12 May 2004, Rogan Dawes wrote:
It probably is in-scope. The question is, what can we do about it?
Perhaps start by describing the various ways that such phishing attacks
are being executed, and then move on to ways to thwart them?
Scammer downloads a copy of the target's web site, and hosts it locally,
using either a non-SSL site, or an SSL-site with a fake certificate.
Counter: Educate users to check that the "lock" exists, and that the
certificate matches the bank's URL.
Scammer sets up a proxy pointing to the targets web site, and records
sensitive information submitted, while relaying it to the target. Sends
a redirect to the actual site when the sensitive info has been captured.
Proxy uses own certificate to terminate SSL socket, and re-encrypts to
talk to target. (e.g. WebScarab in transparent proxy mode)
Counter: Again, educate users to check the certificate details.
*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"