When XSS vulnerabilities on bank websites are exploited by phishers, is too late to undo the unwanted consequences. According to the news
by Paul Mutton of Netcraft
, fraudsters used a cross-site scripting vulnerability on the website of Banca Fideuram S.p.A.
to spread a phishing scam aiming to steal the account details of customers. The phishers were able to inject a modified login form onto the bank's login page, specifically an IFRAME which loads the fake login form from a web server in Taiwan. Even if the login page uses SSL, does not mean that is secure against XSS attacks.
Web security unaware customers are easily tricked to enter sensitive personal information, especially if the cross-site scripting attack vector is obfuscated.