WebApp Sec mailing list archives
Re: Phishing
From: Antonio Varni <avarni () cj com>
Date: Wed, 12 May 2004 09:48:54 -0700 (PDT)
Method 3: Scammer finds an XSS problem somewhere in your web application, uses that to create a fake login/order form. If HTTPS, the "lock" will exist and the certificate will match the URL. On Wed, 12 May 2004, Rogan Dawes wrote:
It probably is in-scope. The question is, what can we do about it? Perhaps start by describing the various ways that such phishing attacks are being executed, and then move on to ways to thwart them? Method 1: Scammer downloads a copy of the target's web site, and hosts it locally, using either a non-SSL site, or an SSL-site with a fake certificate. Counter: Educate users to check that the "lock" exists, and that the certificate matches the bank's URL. Method 2: Scammer sets up a proxy pointing to the targets web site, and records sensitive information submitted, while relaying it to the target. Sends a redirect to the actual site when the sensitive info has been captured. Proxy uses own certificate to terminate SSL socket, and re-encrypts to talk to target. (e.g. WebScarab in transparent proxy mode) Counter: Again, educate users to check the certificate details. Method 3? Anyone?
<snip>
Regards, Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- Internet based banking applications security Amit Sharma (May 11)
- <Possible follow-ups>
- RE: Internet based banking applications security Griffiths, Ian (May 12)
- Phishing Rogan Dawes (May 12)
- Re: Phishing Jordan Dimov (May 12)
- RE: Phishing Mark Curphey (May 12)
- Re: Phishing Glenn and Mary Everhart (May 12)
- Re: Phishing Antonio Varni (May 12)
- Phishing Rogan Dawes (May 12)