'Self-Aware' Bank Hacking Code Unleashed

20 Dec 2011

A hacker has published code for powerful cross-site scripting attacks which he claims surpass normal cookie stealing and phishing for users' private details.

Cross-site scripting (XSS) flaws allow attackers to present content under their control in the context of a vulnerable yet trusted site, thus tricking unwitting victims into handing sensitive information to cybercriminals. As well as being a means to present pop-ups that link to a hacker-controlled site, XSSes can also lead to cookie theft.

Niklas Femerstrand, the hacker who in October 2011 discovered that a debugging tool on the American Express website was vulnerable to an XSS flaw, developed an "XSS on steroids" script while researching a similar flaw on the website of an unnamed Swedish bank.

"There are common myths about XSSes saying they can only be be used for phishing and cookie harvesting," he told The Register. "My code bursts those myths and is so the first way of transforming a 'non persistent' XSS into a persistent state.

"I have written self-aware code that recognizes its own presence and makes a local infection of its own payload into all links of a website presented to the infected visitor. This way the non-persistent XSS becomes persistent to the infected user. It also follows the user through page forms and sends interesting data to the attacker (usernames, passwords, credit card info)," he added.

Rik Ferguson, director of security research and communication at Trend Micro, confirmed that the script developed by Femerstrand is a more potent form of XSS but questioned if it was as innovative as the hacker claims. Ferguson said the technique used by Femerstrand has actually been around for quite a while and was implemented as a part of the Browser Exploitation Project, 'beefproject.com'.

He justified publishing his attack code describing its release as a way of exposing what he argues is the inadequate security of banking institutions.

print this article