Fake Login Page with XSS – IFRAME – | C B Bank – Online Electricity Billing Payment System(GBPS)

When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. The phishers were able to inject a modified login form onto the bank’s login page, specifically an IFRAME which loads the fake login form from a web server. Even if the login page uses SSL, does not […]




Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. The phishers were able to inject a modified login form onto the bank’s login page, specifically an IFRAME which loads the fake login form from a web server. Even if the login page uses SSL, does not mean that is secure against XSS attacks. Web security unaware customers are easily tricked to enter sensitive personal information, especially if the cross-site scripting attack vector is obfuscated.

Cross site scripting (XSS) is where one site manages to run a script on another site, with the privileges of you, the user, Using a browser side scripting language (usually JavaScript). The goal of the attacker is to make the malicious script appear to be from the site being attacked, so the user’s browser can’t tell the script being executed is not meant to be aprt of the site they are viewing. This is usually accomplished by an attacker by submitting specially crafted values into the target site’s URL or web forms, or anywhere user generated content is displayed on the site.

Note: Educational purpose only.

Well, Let me show you something about Fake Login Page with XSS – Using IFRAME
First I’m going to visit the following site:

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Yes, It’s normal, and try to insert some XSS scripts.

Basic XSS code:

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Nope,

 

Test again with these, Bypass the script tag filtering:

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Grab Cookies with XSS

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

IFRAME

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

Finally : Let create Fake Login Page with PHP

– Clone Original Page

– Go to Login Form (tag)

– Write some script … That’s all.

Fake Login Page with XSS IFRAME | C B Bank - Online Electricity Billing Payment System(GBPS)

This FAKE login form which can convince gather a user’s credentials such as Account and Pin Numbers. If the victim logs in via the fake login page, their Those Account and Pin is transmitted to the fraudsters and they are subsequently presented with original login page. Information requested includes Account Number. and Pin Number..

We hope that your security staff will look into this issue and fix it as soon as possible.