XSS behind a decade of bank hacks

By on
XSS behind a decade of bank hacks

Penetration testing research.

Cross-site scripting vulnerabilities accounted for 80 percent of attacks against the world's banks, researchers say.

Swiss penetration testing firm High-Tech Bridge analysed publicly reported incidents over the last decade affecting major websites for banks.

A common XSS attack method might involve a hacker using code injections to steal visitors' data, like cookies, or manipulating what victims see to trick them into inputting sensitive personal or financial information.

In the experiment, High-Tech Bridge used a list of the world's 50 “biggest banks” in 2012 (as determined by Global Finance magazine) and dug up public attack reports posted on security and hacking sites or online archives for XSS attacks and site defacements.

Financial institutions on the list included Bank of America, HSBC, Barclays, JPMorgan Chase, Wells Fargo, Bank of Montreal, and number of other major banks throughout the globe.

Out of 102 reported incidents, that occurred between 2003 to present, High-Tech Bridge found that Bank of America had the most public reports of security issues affecting its site.

Between 2007 and 2010, Bank of America sustained 12 publicly reported website attacks, the firm revealed. Of the 12 security incidents, 11 were XSS attacks.

The firm only noted two publicly reported website compromises in 2013 – at Bank of Brazil and Standard Chartered, a U.K.-based bank.

High-Tech Bridge CEO IIia Kolochenko said the absence of recent reports on bank site attacks are not for a lack of them occurring. Instead, they showcase a change in attackers' motives in targeting financial institutions.

Over the years, attacks have become more malicious, as opposed to hackers carrying out the exploits “for fun or glory,” he explained.

“Hackers today are compromising [banking sites] even more often than before, but it's just that they do not expose it to the public,” Kolochenko said, later adding that saboteurs wish to stay under the radar, since they “are doing it for profit now.”

Early this year, London-based cloud security firm FireHost found that XSS attacks rose more than 160 percent in the U.S. and Europe between the third and fourth quarter of 2012 alone. During the time frame, XSS attacks blocked by FireHost's servers increased from more than one million to 2.6 million, outpacing all of the common web attack vectors, including SQL injection.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?