Fraudsters have used a clever web-programming trick to turn a legitimate banking site into a tool for stealing account information.
Suntrust, a bank based in Georgia, US, has fallen foul of the deception, according to web security experts who received emails designed to swindle customers.
Researchers at UK-based web-monitoring firm Netcraft received emails claiming to come from Suntrust that ask customers to verify their account information using a link embedded in the message.
Advertisement
But the email was not sent from the bank鈥檚 own servers and the web page it linked to contained extra characters in the URL address line 鈥 added on to the bank鈥檚 legitimate web address. So, while the page was hosted by the bank鈥檚 servers, hackers had overlaid it with altered elements to give the appearance of a legitimate 鈥淎ccount Verification鈥 page.
Decoding these altered elements revealed a link to an alternative server controlled by the hackers. Customers entering their account information onto the overlaid page were inadvertently sending their details to the hackers鈥 web server.
Pass it on
Netcraft engineer Paul Mutton says the 鈥phishing鈥 trick is made worse because it exploits the bank鈥檚 own site. 鈥淎s far as the user is concerned, they are visiting a legitimate site,鈥 he says.
Known as a 鈥渃ross-site scripting vulnerability鈥 the trick allows an outsider to add to and alter a real web page with their own text and links. The problem can be exploited when the code used by the website operator 鈥 to process information for their web page 鈥 has not been written specifically to exclude outside, or untrusted, data.
鈥淚f you鈥檙e web programming, you should really make sure data [entered in a URL] is sanitised,鈥 Mutton adds.
Since being informed by Netcraft, Suntrust has modified its site to prevent the trick working. Following a link from one of the phishing emails now produces a genuine log-in web page for the bank, with no connection to the hackers who sent the email.
Experts had previously warned that many sites could be vulnerable to cross-site scripting. A report released in September 2004 by UK computer security firm Next Generation Security suggested that as many as nine out of 10 bank websites could be open to this type of flaw.