Users of eBay may be the latest victims of a spearphishing campaign, thanks to an XSS security vulnerability. The good news is that eBay has patched the vulnerability. The bad news is that it is an example that spearphishing is a problem that’s not going away and, in fact, tops the list of security concerns among enterprises, according to a new study from Cloudmark.
Let’s start with the eBay story. According to ZDNet:
The Cross-Site Scripting (XSS) vulnerability, implemented through Java, allowed an attacker to inject their own malicious page within eBay via an iframe. MLT leveraged the weakness in eBay's domain to inject a login page into eBay's URL system, which made the malicious URL look like it was hosted on the legitimate eBay website.
The flaw, the article continued, opened the door for a spearphishing campaign targeting eBay users. And it is a good example of why enterprise worries about spearphishing as a serious threat to their networks and data. As SC Magazine explained, the XSS vulnerability:
could be exploited by spearphishers “to steal funds from people, use trusted eBay accounts to scam other users, and more.
The Cloudmark survey found that 20 percent of IT decision makers say that spearphishing is their top security concern, while 42 percent admitted that spearphishing made their top three worries. The reason is clear: 84 percent said that a spearphishing campaign made it through their security defenses, and 38 percent blame spearphishing for a cyberattack. The most common attack is malware, followed by authentication credential discoveries and corporate information requests.
The attacks have had serious financial impacts, as the average cost of an attack was $1.6 million. There is also the hit to the company’s reputation, as well as a decrease in stock value.
Why does spearphishing work? According to the Cloudmark blog:
Spearphishing will continue to be a widely used tactic by cyber attackers who find socially engineered emails to be the easiest path of entry to many systems that are otherwise heavily guarded.
Though companies rely on anti-spam and anti-virus solutions, these tools were originally created to attack bulk spam and non-targeted malware payloads, not spearphishing. Employee education also does not provide a bulletproof vest against this pervasive method of attack.
It may be that users dodged a bullet with the eBay vulnerability (time will tell), but when you see a story like that, it is easy to see why IT pros are worried about spearphishing attacks.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.