When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. According to the
news by Paul Mutton of
Netcraft, fraudsters used a cross-site scripting vulnerability on the website of
Banca Fideuram S.p.A. to spread a phishing scam aiming to steal the account details of customers. The phishers were able to inject a modified login form onto the bank's login page, specifically an IFRAME which loads the fake login form from a web server in Taiwan. Even if the login page uses SSL, does not mean that is secure against XSS attacks.
Web security unaware customers are easily tricked to enter sensitive personal information, especially if the cross-site scripting attack vector is obfuscated.
