Contributors
Jeremiah Grossman
(WhiteHat Security)

Ofer Shezaf
(Breach Security) [Project Leader]

The Web Hacking Incidents Database
Last update:17 February 2008

List of Incidents for a Classification

Please note that classifications are a new feature and not all entries in WHID are already classified, so when you get a certain number of entries for a classification, WHID might have more records matching that classification that we did not classify yet. We hope to complete the classification process soon.

Select classification:
Attack Method, Country, Location, Origin, Outcome, Software, Vertical

Select criteria for classification "Outcome":
Blackmail, Chaos, Deceit, Defacement, Disclosure Only, Downtime, Extortion, Identity Theft, Information Warfare, Leakage of Information, Link Spam, Loss of Sales, Monetary Loss, Phishing, Planting of Malware, Political Defacement, Spam, Worm

List of incidents for which Outcome is Phishing
4 incidents listed
WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters
Reported: 09 January 2008
Occurred: 08 January 2008

Classifications:

  • Attack Method: Cross Site Scripting (XSS)
  • Country: Italy
  • Outcome: Phishing
  • Vertical: Finance

It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.

References:

WHID 2007-53: Google's Advanced Search Operators Abused by Spammers
Reported: 07 November 2007
Occurred: 02 November 2007

Classifications:

  • Attack Method: Redirection
  • Country: Global
  • Outcome: Phishing
  • Vertical: Internet

While most WHID entries are about web site breaches, sometimes vulnerability in a web application is used indirectly. Redirection functions in web applications are commonly used by spammers and phishers. It allows them to include a honest looking URL in their e-mail, this way bypassing spam filters and observant users.

Symantec response team found actively used alternative in the best known page on the internet: Google primary search page. By using the Google famous "I feel lucky" feature, the spammer can automatically lead the victim to the first result of a search. All the spammer is left with is finding a query for which his site would pop up first on Google.

This method has another advantage over a redirection page, as the final target is specified by a search string and not by a URL, bypassing smarter filters that know, or learn, that a URL as a parameter of a URL is most probably redirection.

References:

WHID 2006-26: Yahoo XSS used for phishing
Reported: 18 April 2006
Occurred: 17 April 2006

Classifications:

  • Attack Method: Cross Site Scripting (XSS)
  • Outcome: Phishing

An XSS vulnerability in Yahoo Mail is actively exploited for targeted phishing.

References:

WHID 2004-11: Phishers Manipulate SunTrust Site to Steal Data
Reported:
Occurred: 28 September 2004

Classifications:

  • Attack Method: Cross Site Scripting (XSS)
  • Country: USA
  • Outcome: Phishing
  • Vertical: Finance

Phishing based on XSS

References:


This work is licensed under the Creative Commons Attribution License. To view a copy of this license, visit http://creativecommons.org/licenses/by/2.5/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
 
© Copyright 2005, Web Application Security Consortium. All rights reserved.