Because of the massive amount of links you might oversee the hottest offers of this years Phishmarkt, so here we go, the TOP 5:

Place 1 goes to: cia.gov
Place 2 goes to: gmao.gsfc.nasa.gov
Place 3 goes to: cdmrp.army.mil
Place 4 goes to: www.onr.navy.mil
Place 5 goes to: I couldn't decide... xP

At the time of making this website all links worked fine, you can be sure! Keep one thing in mind, the more people visit this site and even the few tests I did will make entries come up in the logs of the servers. It CAN be, that the websites administrators fixed the problem before you could see it. Another reason might be, that something small has changed, if so, why not try it yourself? Some headlines below it is described how to do it!

Short: Because we can!

This is the third time we are doing the Phishmarkt, the first one has been done in Octobre 2006 with help of Heise.de/Security propagating it. The Phishmarkt :: de :: en :: showed vulnerabilities in german bank sites and other institutions. It was a great hit and showed how vulnerable online banking was and often still is... It didn't took long and the next Phishmarkt followed, called Phishmarkt :: at :: due to the fact, that it was based on vulnerabilities found in austrian bank sites. We did this one because austrian banks announced they would be secure: THEY WERE NOT!

This time the Phishmarkt is not related to any bank sites! We furthermore looked over the sea to the United States of America and wanted to check the security of their governmental and military websites. And the result was as expected: SHOCKING! In almost every 5th site tested a vulnerability could be EASILY exploited.

So coming back to the question... We do it because it is our ideology to make such informations available for everyone, who is interested in knowing them, FULL DISCLOSURE! People shall see how insecure things are and how badly security experts work (let's hope, that the government and military at least has them...). They just have to be blamed for the work they've done.

So here, we are again after one year! ENJOY and don't forget the best thing: WE OFFER EVERYTHING FOR FREE TO YOU :) No hidden costs at our market! YeeHA!

Vulnerabilities
The shown vulnerabilities here are not related to viruses, trojans or any other malware on the system of the user. These vulnerabilies are located in the application on the affected web site. In most cases they will work in any browser on any system.

Jeopardy
XSS vulnerabilities have not been fixed, yet, simply ignoring the fact, that the user is in danger if he does not take special care. XSS vulnerabilities are getting more important for phishing. More attacks are shown in Proof of Concepts.

Do it now!
Due to these facts, it is not acceptable anymore, that companies ignore their security problems and stay as threats for the user. There is no 100% security, but it could be expected, that an application takes countermeasures against the known threats and vulnerabilities.

Useless ..
.. are hints and countermeasures like: firewall, SSL/TLS (https), intrusion detection.
Detailled reading of these samples will proove it :-)

If there are any filters present, try this:
- Replace " with "
- Replace ' with '
- Replace > with >
- Replace < with &lt;

... and get your meal :)

But even worse: Most times you don't even need this! So how do you cook the phish then?

In most cases it works like this:
- Find a search field on the page
- Try to attack it with <iframe> ... Does an IFrame come up?
- If not, try evading the value="" field by typing "><iframe>
- Does an IFrame come up? Yes? Start playing with it :) src= width= height= ... HF!

Dear company, these informations are for free! use the saved money and fix (up) your web site.

Dear marketing manager, tell your web developers, that pages with active content (in particular JavaScript, ActiveX) are a security risk.

Dear web developer, why is there no data validation done? it's so simple:
" becomes &quot; etc..

Dear hedge lawyer (if you feel addressed, you're meant:), some buzzwords which don't apply to any of the shown examples:

• data modification on the server
• data sniffing on the server or the client
• bypassing security measures on the server

Though, following applies from the view of a victim, who is attacked by such an malicious example:

• data modification on the client
• data sniffing on the client
• bypassing security measures on the client

The application (= web page) is the source of all these risks! The Application sends the malicious code, at least the link to the malicious code.

Dear webmaster, some pages and hints according security are realy funny. In most cases you are not the author, then simply sign the page with the author's name :-)

This project is proudly present to you by the makers of Wired Security, a place for knowledge exchange and information security. Everything is made available FULL DISCLOSURE! We believe in it! The Phishmarkt is brought to you (like every other Phishmarkt before) by SkyOut.

---

And now... Looking back in history: The older Phishmarkets, it was nice and still works on some sites!

---

2006: Phishmarkt :: de :: && Phishmarkt :: en :: (They are the same, only in two different languages!)

---

You may feel free to send a mail to SkyOut using the email address below. He is the administrator of -|- Wired-Security -|- and shall be contacted for any questions or whatever you want to get rid of...