News
Insight on 360XSS spam campaign from Field CTO/browser security expert
February 2025 by Eran Alshech, Field CTO, Seraphic Security
After the large spam campaign dubbed 360XSS, made possible by an XXS vulnerability exploit in the popular framework called Krpano, the observations from Field CTO Eran Alshech, Seraphic Security.
“The 360XSS campaign highlights an alarming but persistent trend. Attackers are increasingly shifting from malware-based exploits to abusing browser vulnerabilities and web frameworks.
What stands out in this case is how easily and efficiently the attackers leveraged an XSS vulnerability to compromise trusted sites. Rather than deploying sophisticated payloads, they weaponized a publicly known issue, manipulated search results, and hijacked legitimate web properties to distribute malicious content. This underscores how even well-established institutions remain vulnerable when security gaps go unaddressed.
What makes this attack particularly effective is its scalability and stealth. With minimal effort, the attackers infiltrated high-traffic, high-trust websites, allowing them to reach a large audience without needing direct access to user devices. This reflects a larger industry-wide challenge: the ease with which attackers exploit overlooked web application vulnerabilities, often lingering in production systems long after patches are available.
The key takeaway from 360XSS is clear—organizations must reassess their approach to web security and treat the browser as a critical attack vector rather than an afterthought.”
