Much more interesting is the way the iPhone connects the Web browser and the phone. As the author of a Web site, you can embed a telephone number in a web page like this:
<a id="phone_home" href="tel:1-900-867-5309">call me!</a>
window.document.url = "tel:1-900-867-5309"
When that code runs, the user will be prompted "1-900-867-5309 (call) (cancel)". If the user accepts, the phone dials. Now you can turn phishing into money faster than ever before because the payload is the product: victims dial a 900 number, and the money starts rolling in. By the way, setting up a 900 number is easy.
Alternatively, use a cross-site scripting vulnerability to have a banking Web site initiate a call to a fake technical support number. What's the first thing the fake support rep asks for? Your account information of course! After all, you called them, so they need to "confirm your identity". Once again, an old scam gets new legs with a little help from the latest technology, and once again the ante on cross-site scripting goes up.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.