"Overall these types are attacks are bound to happen again as they are simple and effective when done in a clever way. If chained with a lack of CSRF tokens or Open Redirect vulnerability, things could get much more powerful and complex. They also have a big advantage in that they don't require any sort of infection on a victim's computer but rather just some rogue JS on a vulnerable site," Bryant concluded.
"It really makes you think, should these large sites be help responsible for vulnerabilities that allow attacks like this to happen? A good comparison would be DNS amplification attacks which allow DoS attack to be amplified through the use of vulnerable DNS servers."
Slow persistence with Outlook [enigma0x3]
On Sunday, researcher Matt Nelson posted a blog that caught my attention.
Using a bit of Phishing, in order to get a mark to accept VBS running (you'd be surprised how often Visual Basic is allowed in the workplace), you can use Outlook and PowerShell to maintain slow persistence on the system.
"By using [PowerShell and Outlook], we can achieve slow persistence on a machine by monitoring the default inbox and executing a payload when an email comes in with a specified subject. When you want your shell, you send an email and wait for the script on the user's machine to check in."
It's a neat tactic, and depending on the target, could be useful during a pen test where abnormal methods to gain access are needed.
Items of note:
The summer conference circuit is in full swing.
Source Boston is this week (April 8-10), and there are several B-Sides events coming as well. B-Sides Chicago is on the 26th, and there's one in London on the 29th. There are B-Sides events set for Boston, Algeria, San Antonio, Denver, Nashville, New Orleans, and Cincinnati in May.
As usual, Black Hat and DEF CON are coming, both conferences are currently in various phases of prep, but hotel blocks are available.
Speaking of Vegas, B-Sides Las Vegas has started an Indie-Go-Go campaign to raise funds for the summer show, the largest of the B-Sides events. The Las Vegas gathering, now in its fifth year, is the show that started the B-Sides phenomena.
More details are available at the B-Sides and SOURCE Conference websites.
In related news, Indianapolis will be hosting its first major security conference in June, CircleCity Con. If you're so inclined, come hang out in the Hash's hometown and talk shop.
Sign up for CIO Asia eNewsletters.