enigma1 - 2:03 pm on Dec 11, 2008 (gmt 0)

Perhaps one of the most efficient attacks is to hijack the browser of the site owner either via some clickjacking or active control/plugin.

Many site owners completely forget about that. For an attacker this approach is superior because:

1. Site owner trusts his site or his accounts. Active content filtering can be completely off.
2. With his hijacked browser now accesses his admin, cpanel, database, external accounts, mail, you name it.

Ex: when you login into your google accounts, don't you have these active content/scripts running? Otherwise how you gonna see all these nice calendars, maps and analytics results.

And you may see a month later a warning from your anti-virus program about it. But by then its too late.

So in essence the site owner may give full control to the attacker. It's ironic but common.