CU One News

Advanced Phishing Advisory

1-17-08

Simply Put: A new phishing attack has been targeted to customers of a financial institution in Italy. This attack is unique because it links to the institution’s actual website instead of using a fake website like most phishing attacks. Once the customer clicks on the link in the email, they are directed to the institution's website to log on. However, an attack embedded within the link allows the attacker to capture the username and password as the user logs in. The username and password are recorded by the attacker for future use.

Let’s go through an example of what this might look like. A financial institution’s website address is:

https://www.myinstitutionname.com

and the logon page for the institution is:

https://www.myinstitutionname.com/logon.asp.

If this page were vulnerable to XSS an attacker could send out a link that looks like:

https://www.myinstitutionname.com/logon.asp?user=%20$21script%34source%….

Notice how the domain name is always the same. Most users would only check the target domain, which is the institution’s website, so they would inherently trust this link. If clicked, the additional code at the end of the link would run in the browser with the rest of the financial institution’s website.

Attack Details: The attack uses a cross-site scripting (XSS) vulnerability found in the institution’s website. This vulnerability allows the attacker to use a link to the institution’s actual website (regardless of SSL certificates) and alter the link to include new code, such as malicious javascript or HTML. This code is loaded in the client’s browser with the same trust level as the financial website they are visiting. This specific attack injects an IFRAME which opens a new website from Taiwan directly onto the institution’s existing website. Screen shots of this specific attack are included in the Netcraft article below.

Countermeasures: This attack is of concern because most anti-phishing material suggests looking at the domain name in the link to see if it is legitimate, or to check for the SSL “lock” at the bottom of the browser window while at the site. Since the domain name and the SSL certificate in this attack belong to the bank, many users could be tricked into putting themselves at risk. Gladiator suggests that all financial institutions review their anti-phishing notices on their websites. They should include a warning to never log in to a secure website by clicking on ANY link in an email, even one with a correct domain name. Users should instead type the domain name into the browser or use a shortcut they have set up.

Email cuone@creditunionone.org with any questions or comments.