This morning I got an e-mail … the typical “[Person] suggested you like [Something]” from Facebook. Typically, this kind of stuff is SPAM; but I checked it out anyways. However, when I got to the page, I didn’t observe just spam; in fact, I observed a cunning exploitation which allows the page to run whatever Javascript code it wishes. It uses a combination of social engineering to prompt the user to perform actions to get a ‘reward’. In the process, the user inadvertently executes Javascript code in their browser.
Watch this video I recorded to see it live in action:
Posted by Brendon on October 18th, 2009 | 3 comments
Many people have the idea that phishing scams are complex, and are operated by organised criminals. In fact, they are not that hard to create at all. I could create one, and I could scam people for money. So that’s what I am going to do.* In this article, I will show you how easy it is to create your very own phishing scam set-up. I will deal with the ‘technical side’ — the website and e-mail — but not with harvesting and sending e-mails, not getting caught, etc. READ MORE
This proof of concept demonstrates how basic logic in CSS (Cascading Style Sheets) can be used to query a browser to whether a visitor has visited another web page. More generally, it shows that even simple logic in technology has the possibility of being exploited. Although the data used in this example seems rather unimportant, when used to profile a user’s likes and dislikes, for example, it quickly turns from “data” to personal information. READ MORE