Spoofed subdomains?
Just a thought.
Lately, the phishing emails I have been seeing have a lot of subdomains like ww9.domain.tld.
I am so innocent about all this that I just took it to be that the malware script had picked up some load balancing on the real domain. Any script that checks URLs for malware will probably hit a 404 error.
But, have the ISP send some junk from these invented URLs and anything could be being injected.
Here are a few [edited] examples from recent phishing mails:
http://www7.abbey.co.uk/servlet?host=
http://obj5.nwolb6.com/customerupdate?poolid=
http://www2.abbey.com.shell54.com/servlet
http://sys6.natwestbusiness2.com/customerupdate?refid=
All the above give me an unknown server response, except for shell54.com which blocks access to root.
The 'real' URLs come from the text part of the phishing mails.
With so many banks using javascript and cookies for login forms the data a little XSS could harvest is frightening. Time for the banks to change their validation model?
Run for cover: where is my tinfoil hat?