Phishers Manipulate SunTrust Site to Steal Data

A new phishing attack alters the SunTrust Bank web site, allowing fraudsters to collect customer authentication details using the bank's own site. The attack inserts a form into a frameset within the investor relations area of the SunTrust web site, giving the outward appearance that it is part of the bank's official site.

The spoofed page includes a form and asks the user to provide their Social Security number, ATM card number, ATM password/PIN, and the last four digits of their Suntrust account. The "bait" in this phishing scam is an email with the subject "SunTrust Bank - Suspicious Activity Suspected" with a spoofed return address of "services@suntrust.com." The mail tells SunTrust customers that "your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information." The mail includes a link to the investor relations page of the SunTrust site, which is manipulated to insert the spoofed page from a remote server at the IP address 194.47.244.145, located at Lund University in Sweden.

The page being exploited on the SunTrust site is a framed page, an HTML structure that displays the text of one web page within another. SunTrust was using the technique to display third-party content from Shareholder.com, which provides outsourced investor relations information for corporations. The page was linked from SunTrust's home page with the following URL:

http://www.suntrust.com/common/Frameset/Investor_Relations/frameset.asp?

source=http://www.shareholder.com/suntrust/

Visitors with knowledge of HTML can easily recognize that the page at the first URL is inserting the second page into a frame. The phishers constructed a similar URL, using the "source=" technique to insert a web page from a different remote server. The URL is obfuscated in the e-mail, making it appear to be a legitimate link to the SunTrust web site. A similar obfuscation of the link on SunTrust's site would have made the vulnerability less obvious. Having the ability to hijack the financial institution's own site is a big step forward for fraudsters, as it makes their attack much more plausible.

SunTrust Banks, Inc., is headquartered in Atlanta, Georgia, and is among the largest commercial banks in the U.S. As of June 30 SunTrust had total assets of $128.1 billion and total deposits of $85.5 billion. In a statement on its web site, Suntrust says "security is the most important issue SunTrust faces in making Internet Banking available for our customers. Using industry standard security techniques ensures that your personal financial information remains confidential."

Opportunities for fraudsters to inject their own forms into banks and other financial institutions' sites are common, but until now, not widely taken advantage of and customers of internet banking systems can expect a spate of similar attacks to follow.

Netcraft provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.