Phishers finding easy prey

Leading financial institutions have adopted a more-aggressive attitude toward online identity-theft cons known as "phishing scams" in recent months. But companies could be unwittingly helping phishers trick online shoppers, says a new report from a U.K. Web developer.

A test of leading financial services Web sites, including those run by MasterCard, NatWest and Reuters Group, revealed that many sites have loosely protected features that scam artists can use to mask their own malicious Web sites, hijacking the names and Web addresses of established institutions, says Sam Greenhalgh, the 19-year-old who operates Web site Zapthedingbat.com.

Greenhalgh is responsible for discovering a vulnerability in Microsoft's Internet Explorer Web browser known as the "%01" vulnerability. That security hole, since closed by Microsoft, has been widely used in scams to disguise the location of phishing Web sites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at zapthedingbat.com on his latest findings. The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh says. Indeed, the trick works with most popular Web browsers. Instead, poorly designed and unsecure features on leading Web sites that contain cross-site scripting vulnerabilities are to blame.

Greenhalgh uses the example of the ATM locator feature on MasterCard's Web site. The feature was designed to help people find cash machines that accept MasterCard. Users input a location, including a country and street address, and the Web site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability in the feature, Greenhalgh injected his own HTML into the fields used by the ATM locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information. With the Web browser address bar reading "http://www.mastercard.com" and the MasterCard logo adorning the page, even sophisticated Web surfers would be hard-pressed to prove that they were not interacting with the credit card company instead of scam artists, Greenhalgh says. MasterCard declined to comment for this story.

Among other things, developers should design Web forms such as ATM locators and search engines to validate the data that users enter into the fields and "sanitize" it, removing characters such as brackets ("<" and ">") that are used to render HTML and other computer code, Greenhalgh says. The cross-site scripting vulnerability has been around for a long time but hasn't been exploited by scam artists, says Dave Kurzynski, CTO of Internet brand-protection firm NameProtect, which embarked on an anti-phishing effort with MasterCard in June.

Still, the vulnerability could become more common as "low-hanging fruit" and easier avenues to trick consumers are closed to scammers, Kurzynski says.

"Any Web site that accepts text input and displays it is possibly vulnerable. Any newly written application should be designed with this in mind, and legacy applications in use since this exploit was discovered need to be changed to protect against it," Kurzynski says.