HSBC sites vulnerable to XSS flaws, could aid phishing attacks

HSBC sites vulnerable to XSS flaws, could aid phishing attacks

Summary: What would the perfect phishing attack from a social engineering perspective? The one that compared to using typosquatted domains impersonating the bank's web application directory structure is in fact using the bank's legitimate domain names as redirectors due to XSS flaws within.


XSS flaw HSBCWhat would the perfect phishing attack from a social engineering perspective? The one that compared to using typosquatted domains impersonating the bank's web application directory structure is in fact using the bank's legitimate domain names as redirectors due to XSS flaws within. It's even more interesting to measure the average time it takes for a bank to fix the XSS flaws within its sites upon getting notified of them, which in some cases is longer than the average time it takes to shut down a phishing site.

In yet another compilation of XSS vulnerable sites courtesy of Dimitris Pagkalos at, the largest online archive of XSS vulnerable websites, HSBC Holdings plc owned domains are vulnerable to XSS flaws which could easily aid in a phishing attack :

"Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry. Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.

If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like which is currently available and then serve a phishing page. Even better, they can exploit a cross-site scripting vuln on, obfuscate the attack vector and significantly increase their phishing success rate!"

With the Ebanking industry slowly embracing the "No Security Software, no Ebanking Fraud Claims for You" mentality in order to forward the risk of potential fraud claims to the customer, would a customer still be able to file fraud claims given that the phishing attack occurred due to a vulnerability in the bank's site? They'll definitely ask for the security software in place before that, indicating their degree of NOT understanding the threats to their customers.

A brief excerpt from the previous post on the irrelevance of having security software in place when the bank's sites are vulnerable, and why the emphasis on the security software speaks for the simplistic understanding of the threats their customers face on a daily basis :

"Cross-site scripting vulnerabilities within banking sites are nothing new, in fact, in the past there were initiatives tracking down such vulnerabilities and how long it took for the bank to fix them. Barclays is an example with XSS vulnerabilities unfixed for over a year despite notification. Why aren’t they taking XSS seriously at the first place? Because the people responsible for their anti-fraud activities aren’t aware of the potential to abuse the vulnerabilities and user the bank site as a redirector to malicious software, or a phishing page with a decent SSL certificate in place. Phishers are indeed using XSS vulnerabilities to scam a bank’s customers, thanks to the bank’s vulnerable web applications, here’s the most recent incident"

It always starts with the basics. A customer should demand some accountability from the banks he's using on what are they doing to make his transactions more secure, and what have they done for the past couple of years in this direction. The reality is that the banks themselves don't make a different between a Trojan horse and a banking malware, it's all viruses to them, and this underestimation of the current threatscape directly reflects their inability to protect their customers. Here are some examples in regard to HSBC for instance :

- The importance of patching is limited to visiting the Windows Update site, which leaves all of your non-MS software unpatched, which in times when every average web malware exploitation kit is taking advantage of 10 to 15 different client-side vulnerabilities in the most popular video players, browsers, even browser plugins and widgets, doesn't speak for a good situational awareness on behalf of a bank

- The use of free anti virus software is recommended, next to using a third party anti spyware software.  If you are aware of a spyware infection case through fully patched Firefox and Opera web browsers point it out. There are exceptions with spyware coming in as a fake extension, but the fact that the emphasis in such an advice isn't on the recommendation of using another browser but IE, speak for itself from my perspective

- Encouraging the use of the free ZoneAlarm is not a bad advice compared to the opportunity for them to provide a benchmarked analysis of personal firewalls and which one scored the most based on the criteria the customer is interested in

And talking about the basics, the XSS vulnerabilities within the sites could have been detected even by the cheapest scanner out there. Most of them still remain active, let's see for how long.

Topic: Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • How many users understand or care....

    Your article raises a number of good points. But the best advice for not getting phished is to bookmark a secure page on the bank's website and use ONLY that bookmark to access your account. You will get redirected to the genuine login page. Another piece of advice is to use a sandbox program and create a sandbox that you only use for accessing bank sites. And use the bookmark to the secure web page to do your online banking. By not having any other web sites open in the sandbox, there is little chance of getting struck by cross domain scripting. I agree that the banks should tell customers how they protect them, but it should be in non-technical terms. Both sides have take precautions to protect themselves. If a customer gets careless, well, it's his money, and his responsibility. If the bank gets careless then they are not doing their job of caring for the customers money. To my way of thinking, a free anti-virus program is only useful in these cases if it can detect web threats. Clamwin, for example is not a real time AV program, so it should not be allowed as a customers AV program. Free Zone Alarm has no anti-phishing or web detection capabilities, rather, per the comparison chart on the web site, "stays out of the way; does not interfere with the way you surf the web", so I fail to see the relevance of this program to protection against phishing.
  • This is not enough...

    As a HSBC customer in UK, I usually receive emails with links from them (TRUE emails) directing me to their website, which is something that in Brazil, for example, all major banks decided to give up. Emails are the best place where you can have a phishing attack related to banks. It's all about safety and they have to create a rule over this issue as well.
  • "Could"? I think it has already been done.

    Actually, although you seem to suggest that this is hypothetically possible but has not been actually successfully implemented 'in the wild' (correct if I'm wrong) I encountered a phishing attempt in an email that I received about a year ago that I'm sure used this security hole.
    I never fall for this stuff but I do follow the links, examine the URLs, page sources and paths that people will get taken on, even fill up the question blocks with garbage just out of spite. And indeed last year, I received a phishing email (from an American bank where I have never had an account) and as I explored the nature of the exploit I was quite astonished that the first link was not to Russia or China, etc., but to the bank's legitimate home page, where your login information is supposed to be entered. I entered bogus details and I was forwarded to a foreign web page that clearly had captured my invented login details. I played with these phishing bozos some more (I have several favorite user names like 'George Bush' or 'Osama Bin Laden', and some creative, often off-colour passwords, etc.) and was directed around their site, and then probably after being thanked for my 'cooperation' was bounced back to the bank's real home page (login page) to continue.
    I actually made an effort to contact the bank's security about this because I had never seen such an insidious phishing attempt before. I included all of the details of what had happened, the URLs I was directed to and everything that I thought was important for this bank's security, I emphasized that I was really surprised at the level of sophistication of this attempt at trying to fool people. What happened? I may have received a boilerplate email thanking me, yada, yada, yada, but I have no reason to believe that a human, much less a real Internet security person, even read my email. I have received many phishing attempts (although not like that one), and sometimes I do (as the bank's web site requests) forward the URLs, etc. to their special email. But you know what? I get back some stupid email (again, boilerplate) treating me like a moron and giving me a pep talk about the dangers of giving usernames or passwords to people or websites, and all that crap.
    Frankly, I have never seen any reason to believe that banks are really, truly all that concerned about electronic security. I assume they depend on their insurance to cover their butts when they get scammed, or hope that some of their customers are too stupid to realize they been ripped off so nothing is ever done about it. Bank's are clearly far more preoccupied with PR, with saving face, then with having the occasional 'inconvenience' of losing the odd hundred, thousand or million dollars.
    It really makes you wonder.
    David Spencer-20660146163390554490918120654216
  • RE: HSBC sites vulnerable to XSS flaws, could aid phishing attacks

    I think it's high on hype and low on reality, thereby perpetuating the same ignorance it claims to want to expose.
  • RE: HSBC sites vulnerable to XSS flaws, could aid phishing attacks

    Another case where using Firefox with the NoScript extension will help, as NoScript blocks XSS.