Phishing with Super Bait: An Examination of Next-Generation Phishing Attacks

Jeremiah Grossman, WhiteHat Security

This isn't just another presentation about phishing scams or cross-site scripting (XSS). We're all very familiar with each of those issues. Instead, we'll discuss the impact when the two are combined to form new and highly effective hybrid attacks. Phishers are beginning to utilize these techniques, creating new phishing attacks that are virtually impervious to conventional and more sophisticated security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer limited protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams are launched not from look-alike web pages, but instead from legitimate websites!

This presentation features live demonstrations of the execution of these attacks. You'll see cutting-edge exploits that can effectively turn your browser into spyware with the use of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks. The use of phishing/cross-site scripting hybrid attacks for financial gain is spreading. It's imperative that security industry familiarize themselves with these new threats to protect their websites and confidential information.

Speaker Bio:

Jeremiah Grossman is the founder and Chief Technology Officer of WhiteHat Security (, a leading provider of web application security services. At WhiteHat, Mr. Grossman is responsible for R&D and industry evangelism. As a seven-year industry veteran and well-known security expert, Mr. Grossman is a frequent conference speaker at many industry events, including the BlackHat Briefings, ISSA, ISACA and NASA conferences. Mr. Grossman's research, writings, and discoveries have been featured in USA Today, VAR Business, ZDNet, eWeek, and BetaNews. Mr. Grossman is also a founder of the Web Application Security Consortium (WASC), as well as a contributing member of the Center for Internet Security Apache Benchmark Group. Prior to WhiteHat, Mr. Grossman was an information security officer at Yahoo!, responsible for performing security reviews on the company's hundreds of websites.

Gates 4B (opposite 490) Tuesday 11/15/05 1630 hrs