Paypal phishing via cross-site scripting

At the weekend, phishers used a sophisticated trick to get Paypal users to visit a site that looks like Paypal but isn't; at this faked site, they were asked to enter credit card numbers and other personal information according to a report at Netcraft. The special thing about this phishing action was that the link in the e-mail actually directed recipients to an official Paypal site protected by https. There, unsuspecting users read:

"Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center."

Only then were the victims actually redirected to another server where they were asked to log on with their username and password. This "Resolution Center" was, however, in reality a server under the control of the attackers, who then garnered the data.

Apparently, a Paypal application was vulnerable to cross-site scripting (XSS). For example, it may have taken output text from a variable whose content could be specified via the URL. The phishers designed it so that it contained the message above and possibly even the script code for redirecting. US media are reporting that Paypal has reacted and remedied the XSS hole.

The trend towards increasingly sophisticated phishing techniques does not come as a surprise. The severity of cross-site scripting for security has long been underestimated because it cannot cause any direct damage. But for some time now, experts have been warning that it can be used to create sophisticated fakes, for instance, that victims will have a hard time recognizing as such. Apparently, phishers are now actively looking for such XSS holes on the web sites of banks and payment services. And there is no doubt that they will find some: heise Security has found that the web sites of German banks repeatedly have such errors.

Also see:

• Cross-Site Scripting: Data theft on the rebound, article at heise Security

(ju)