Re: Phishing

[Antonio Varni <avarni () cj com>]

Method 3:

Scammer finds an XSS problem somewhere in your web application,
uses that to create a fake login/order form.  If HTTPS, the "lock"
will exist and the certificate will match the URL.

On Wed, 12 May 2004, Rogan Dawes wrote:
> It probably is in-scope. The question is, what can we do about it?
>
> Perhaps start by describing the various ways that such phishing attacks
> are being executed, and then move on to ways to thwart them?
>
> Method 1:
>
> Scammer downloads a copy of the target's web site, and hosts it locally,
> using either a non-SSL site, or an SSL-site with a fake certificate.
>
> Counter: Educate users to check that the "lock" exists, and that the
> certificate matches the bank's URL.
>
> Method 2:
>
> Scammer sets up a proxy pointing to the targets web site, and records
> sensitive information submitted, while relaying it to the target. Sends
> a redirect to the actual site when the sensitive info has been captured.
> Proxy uses own certificate to terminate SSL socket, and re-encrypts to
> talk to target. (e.g. WebScarab in transparent proxy mode)
>
> Counter: Again, educate users to check the certificate details.
>
> Method 3?
>
> Anyone?

<snip>

> Regards,
>
> Rogan
> --
> Rogan Dawes
>
> *ALL* messages to discard () dawes za net will be dropped, and added
> to my blacklist. Please respond to "lists AT dawes DOT za DOT net"