June 29th, 2008

HSBC sites vulnerable to XSS flaws, could aid phishing attacks

Posted by Dancho Danchev @ 7:29 pm

Categories: Passwords, Phishing, Spam and Phishing

Tags: HSBC, XSS, Cross Site Scripting, Phishing Attacks, Phishing Emails, Social Engineering, Dancho Danchev

What would the perfect phishing attack from a social engineering perspective? The one that compared to using typosquatted domains impersonating the bank’s web application directory structure is in fact using the bank’s legitimate domain names as redirectors due to XSS flaws within. It’s even more interesting to measure the average time it takes for a bank to fix the XSS flaws within its sites upon getting notified of them, which in some cases is longer than the average time it takes to shut down a phishing site.

In yet another compilation of XSS vulnerable sites courtesy of Dimitris Pagkalos at XSSed.com, the largest online archive of XSS vulnerable websites, HSBC Holdings plc owned domains are vulnerable to XSS flaws which could easily aid in a phishing attack :

“Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers’ future weapon by all people working in the security industry. Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC’s e-banking customers, all they have to do is to register a “suspicious” looking domain like hscsbc.com which is currently available and then serve a phishing page. Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!”

With the Ebanking industry slowly embracing the “No Security Software, no Ebanking Fraud Claims for You” mentality in order to forward the risk of potential fraud claims to the customer, would a customer still be able to file fraud claims given that the phishing attack occurred due to a vulnerability in the bank’s site? They’ll definitely ask for the security software in place before that, indicating their degree of NOT understanding the threats to their customers.

A brief excerpt from the previous post on the irrelevance of having security software in place when the bank’s sites are vulnerable, and why the emphasis on the security software speaks for the simplistic understanding of the threats their customers face on a daily basis :

“Cross-site scripting vulnerabilities within banking sites are nothing new, in fact, in the past there were initiatives tracking down such vulnerabilities and how long it took for the bank to fix them. Barclays is an example with XSS vulnerabilities unfixed for over a year despite notification. Why aren’t they taking XSS seriously at the first place? Because the people responsible for their anti-fraud activities aren’t aware of the potential to abuse the vulnerabilities and user the bank site as a redirector to malicious software, or a phishing page with a decent SSL certificate in place. Phishers are indeed using XSS vulnerabilities to scam a bank’s customers, thanks to the bank’s vulnerable web applications, here’s the most recent incident“

It always starts with the basics. A customer should demand some accountability from the banks he’s using on what are they doing to make his transactions more secure, and what have they done for the past couple of years in this direction. The reality is that the banks themselves don’t make a different between a Trojan horse and a banking malware, it’s all viruses to them, and this underestimation of the current threatscape directly reflects their inability to protect their customers. Here are some examples in regard to HSBC for instance :

- The importance of patching is limited to visiting the Windows Update site, which leaves all of your non-MS software unpatched, which in times when every average web malware exploitation kit is taking advantage of 10 to 15 different client-side vulnerabilities in the most popular video players, browsers, even browser plugins and widgets, doesn’t speak for a good situational awareness on behalf of a bank

- The use of free anti virus software is recommended, next to using a third party anti spyware software.  If you are aware of a spyware infection case through fully patched Firefox and Opera web browsers point it out. There are exceptions with spyware coming in as a fake extension, but the fact that the emphasis in such an advice isn’t on the recommendation of using another browser but IE, speak for itself from my perspective

- Encouraging the use of the free ZoneAlarm is not a bad advice compared to the opportunity for them to provide a benchmarked analysis of personal firewalls and which one scored the most based on the criteria the customer is interested in

And talking about the basics, the XSS vulnerabilities within the sites could have been detected even by the cheapest scanner out there. Most of them still remain active, let’s see for how long.