This isn't just another presentation about phishing scams or cross-site scripting (XSS). We're all very familiar with each of those issues. Instead, we'll discuss the impact when the two are combined to form new and highly effective hybrid attacks. Phishers are beginning to utilize these techniques, creating new phishing attacks that are virtually impervious to conventional and more sophisticated security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer limited protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams are launched not from look-alike web pages, but instead from legitimate websites!
Gates 4B (opposite 490) Tuesday 11/15/05 1630 hrs