Netcraft has warned of an "extremely convincing" scam on an Italian banking website that shows the way cross-site scripting vulnerabilities can make phishing attacks nearly impossible to spot.

The attack, targeting Banca Fideuram, reaches users via the usual route of an authentic-looking email using a pretext to ask users to log into the bank's site, according to Netcraft, a Bath-based Internet services company.

Where the attack differs from the run-of-the mill is that it in effect runs on the bank's own website, using a genuine SSL certificate issued to Banca Fideuram.

The email uses a specially crafted URL which takes advantage of a cross-site scripting (XSS) vulnerability to inject a modified login form onto the bank's login page, according to Netcraft.

Despite the SSL certificate, the attackers have been able to inject an IFRAME into the login page, loading a login form which is hosted on a web server in Taiwan, according to Netcraft handler Paul Mutton.

"This attack highlights the seriousness of cross-site scripting vulnerabilities on banking websites," Mutton said in an advisory last week. "It shows that security cannot be guaranteed just by the presence of 'https' at the start of a URL, or checking that the browser address bar contains the correct domain name."

Mutton noted that while the attack simply injects an IFRAME - a common way of inserting external content into a web page - a malicious payload could be delivered using the vulnerable GET parameter. In that case the browser would, in addition to displaying "https" at the start of the URL, also display a locked padlock icon, according to Mutton.

The attackers have used several other methods to make the attack difficult to detect, even by automated security filters, Mutton said.

For one, the URL used by the attack injects a series of numbers directly into a JavaScript function call that already exists on the bank's legitimate LoginServlet page, making the bogus URL nearly identical to the real one.

The injected content from Taiwan includes encoded JavaScript used to display Italian text, possibly an attempt to bypass automated security filters, Mutton said.

The injected form transmits users' data to Taiwan before redirecting users to the bank's unaltered homepage, Mutton said.

Netcraft said it has contacted Banca Fideuram and blocked the phishing site in its own anti-phishing toolbar and in PhishFeed, a data set licensed to third parties.