Study: MasterCard, others unwittingly help ‘phishers’

Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as “phishing scams” in recent months. But companies, including MasterCard International, may be unwittingly helping phishers trick online shoppers, says a new report from a U.K. Web developer.

A test of leading financial services Web sites, including sites run by MasterCard, NatWest and Reuters Group PLC revealed that many sites have loosely protected features that scam artists can use to mask their own malicious Web sites, hijacking the name and Web address of established institutions, said Sam Greenhalgh, who is 19 and operates the Web site Zapthedingbat.com.

Greenhalgh is responsible for discovering a vulnerability in Microsoft’s Internet Explorer Web browser known as the “%01” vulnerability. That security hole, since closed by Microsoft, was widely used in phishing scams to disguise the location of phishing Web sites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at zapthedingbat.com on his latest findings.

Phishing scams are online crimes that use unsolicited commercial, or “spam,” e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account or credit card number, often under the guise of updating account information.

The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh said. Indeed, the trick works with most popular Web browsers. Instead, poorly designed and insecure features on leading Web sites that contain “cross-site scripting” vulnerabilities are to blame, he said.

Greenhalgh uses the example of an “ATM Locator” feature on MasterCard’s Web site. The ATM Locator was designed to help MasterCard holders locate cash machines that accept MasterCard. Users input a location, including a country and street address, and the Web site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability in the feature, Greenhalgh was able to inject his own HTML into the fields used by the ATM Locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information.

With the Web browser address bar reading “http://www.mastercard.com” and the MasterCard logo adorning the page, even sophisticated Web surfers would be hard put to prove that they were not interacting with the credit card company instead of scam artists, Greenhalgh said.

“The danger for Joe Public is in increasing his susceptibility,” Greenhalgh said. “Phishing attacks have been around a long time and usually they’re very easy to spot – you can look in the address bar and see you’re not at mastercard.com. But these flaws allow phishers to actually use the legitimate site. As a user, it’s very hard to tell,” he said.

MasterCard declined to comment for this article. NatWest did not immediately respond to a request for comment.

Web search features are a common source of cross-site scripting flaws, especially those that echo back the requested search word or phrase to users, Greenhalgh said.

Greenhalgh’s Web site notes similar flaws in seven other sites, including attacks on search features at reuters.com, Internet payment service WorldPay Ltd. and NatWest, part of The Royal Bank of Scotland PLC.

“In effect what I am doing is using something that is designed to trust user input too much,” he said.

Among other things, developers should design Web forms like ATM locators and search engines to validate the data that users enter into the fields and “sanitize” it, removing characters such as brackets () that are used to render HTML and other computer code.

The flaws are easy to fix, but have been overlooked for years. Still, Greenhalgh doesn’t believe that the cross-site scripting holes have been exploited in phishing attacks at the institutions he named, at least not yet.

The cross-site scripting vulnerability is an old exploit that has been around for a long time, but hasn’t yet been exploited by scam artists, said Dave Kurzynski, CTO of Internet brand protection firm NameProtect.

Still, the vulnerability could become more common as “low hanging fruit” and easier avenues to trick consumers are closed to scammers, he said.

The cross-site scripting problems at leading financial services sites couldn’t be used to distribute malicious code, unlike a recent flaw in Microsoft’s Internet Information Services Web server. However, they could be used to fool Web surfers into downloading malicious code, such as ActiveX programs created by scam artists or hackers, he said.

Shoddy coding by Web developers is mostly responsible, but the companies are also to blame, he said.

“I think it’s a matter of the attitude that both developers and their employers have to their product and the quality of service that they are giving to customers. Quality of service not just a factor of what the customer perceives. It’s a whole package.”

Companies from across industries should be looking at their Web sites and Web-based applications carefully with cross-site scripting vulnerabilties in mind, Kurzynski said.

“Any Web site that accepts text input and displays it is possibly vulnerable. Any newly written application should be designed with this in mind and legacy applications in use since this exploit was discovered need to be changed to protect against it,” he said.

Greenhalgh did not notify companies mentioned in the report about the problems. Doing so would only allow them to correct the problem without addressing the larger security issues facing their sites, he said.

“It’s fixing the symptom and not the problem,” Greenhalgh said.

The number of phishing attacks has risen sharply in recent months, according to industry groups.

The number of unique phishing attacks reported to the Anti-Phishing Working Group (APWG) increased 6% in May to 1,197, with an average of 38.6 reports each day. Financial services companies are the primary target of the scams, according to the APWG.

In June, MasterCard announced a partnership with NameProtect to combat phishing. The two companies are combining their efforts, giving MasterCard access to data from NameProtect’s technology, which can search and filter large volumes of Internet content to find online scams. The companies will also work with law enforcement to shut down Internet sites and tools used by identity thieves, according to a joint statement.

Raising public awareness of the flaws may be the only way to spur widespread action, Greenhalgh said.

“If they get egg on their face, that’s par for the course. I think that might help in a way,” he said.