A phishing wolf in sheep's clothing

Scammers are increasingly injecting their own code into legitimate Web page URLs--a threat that could spell trouble for online banks.

Matt Hines Staff Writer, CNET News.com
Matt Hines
covers business software, with a particular focus on enterprise applications.
Matt Hines
2 min read
An easily remedied Web site loophole may be leaving banks and other companies that do business online more susceptible to phishing attacks, according to Netcraft.

Online criminals are increasingly using cross-site scripting flaws to inject their own code into legitimate Web page URLs, the network security services company said in a note posted on its site Monday. With these sites, the attackers can try to dupe unsuspecting consumers into falling for phishing scams.

"The majority of phishing Web sites are only semibelievable, and end users are starting to see through those," said Paul Mutton, an Internet services developer at Netcraft. "But with cross-site scripting, people are more likely to fall for the scam, because the URL actually belongs to a real business. It just has content added by a third party."

According to Netcraft, cross-scripting vulnerabilities in the server applications that support many business sites cause some Web pages to ignore various kinds of data--specifically, JavaScript code. That creates an opening for criminals to push their own JavaScript programs onto legitimate Web pages.

Recently, customers of Citizens Financial Group were the targets of such an attack, Netcraft said. The scam involved a phishing e-mail that exploited a scripting program on the bank's Web site to build an imitation site that attempted to trick customers into sharing their personal data.

Citizens Bank representatives did not return calls seeking comment on the attack.

Netcraft's Mutton said companies should expect to see more of the scripting threats, unless businesses carefully review server applications to eliminate the scripting glitch. Doing so would be more time-consuming than complicated, he said.

Mutton also said banks, the most common targets of phishing threats, have done little to remedy the cross-site scripting problem.

"This is an opportunity that allows criminals to do a pretty good job at misleading consumers, and it's a large problem that the banks really don't seem to be tackling head-on," Mutton said.

Mutton said the scripting attacks differ from the URL-spoofing campaigns that have targeted companies such as online auctioneer eBay. Those ploys typically redirect people to sites that can be discovered as fraudulent with some poking around, he said. By contrast, scripting errors allow scammers to add content such as a fake password log-in system on top of a page that appears completely legitimate.

Cross-scripting flaws can also be used to construct sites that steal the cookies saved on Web browsers. Cookies typically contain private data such as Web site passwords or other Internet usage information.

Mutton said the lion's share of the attacks being created using the technology loophole target financial-services companies. The researcher believes that there is no reason to believe that scammers will change their methods any time soon.

"(Cross-site scripting) can happen on most any Web site; banks are just a big target," he said. "But it's a pretty simple equation: Banks are where the money is, so that's where the criminals are looking for any opening they can find. And this is a big one."