Re: [WEB SECURITY] Phishing attacks circumventing two-factor auth

["Brian Eaton" <eaton.lists@xxxxxxxxx>]

On 7/10/06, dpw <dainw@xxxxxxx> wrote:
> however... the article does state that the MiTM form *posted* into the
> citibank application to authenticate the second factor.
>
> This is the part that I was responding to - regardless of the phishing lure
> the user saw - the form shouldn't have been able to post back into the
> citibank authentication system successfully. It should have been DOA trying
> something like that.

Now you've got me wondering.  The article says,

"That's because this site acts as the "man in the middle" -- it
submits data provided by the user to the actual Citibusiness login
site."

That could mean either that the web page was submitting directly to
citibank, or that the web page submitted to the spoofed site which
then forwarded the submission.  One of the "features" of this phishing
site was that it could distinguish between legitimate business codes
and faked ones, which makes me think this was MITM.

Regards,
Brian

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]