WHID 2008-02: Italian Bank's XSS Opportunity Seized by Fraudsters
Reported: 09 January 2008
Occurred: 08 January 2008
Attack Method: Cross Site Scripting (XSS)
It has been a while since a phishing scam using XSS vulnerability found its way to the Web Hacking Incidents database (SunTrust, WHID 2004-11). The current incident is a good example of what does and does not get into our database: XSS vulnerabilities in public web sites are discovered daily and reported in sites such as XSSed, however most of these vulnerabilities are not included in WHID for lack of public interest. The current incident is different since the vulnerability is known to be exploited by attackers, moving it from the realm of technical interest to the realm of a real problem.
Italian Bank's XSS Opportunity Seized by Fraudsters
Advisory, NetCradt, 08 January 2008
WHID 2008-01: Information stolen from geeks.com
Reported: 08 January 2008
Occurred: 05 January 2008
Attack Method: Unknown
Outcome: Leakage of Information
Very detailed records of geeks.com customers were stolen from the site. The records included name, address, telephone number, e-mail address, credit card number, expiration date, and most notoriously, card verification number (CVV).
The interesting part is that the site had a Hacker Safe seal. The seal was revoked twice last year due to vulnerabilities, but restored after they where patched. It seems that this time the hack preceded the scan or the scan missed the vulnerability. So much for application scanning and vulnerability assessment....
And don't take it lightly as a geeks site. Geeks.com is a $150M/year business.
Update: 'Hacker safe' Web site gets hit by hacker
News Story, Copmputer World, 07 January 2008
'Hacker Safe' Geeks.com Hacked
News Story, Information Week, 07 January 2008
Geeks.com Website Hacked, Customer Data Stolen
News Story, Consumerist,