Phishers put theft in the frame


Fraudsters are starting to use a technique which allow them to exploit weaknesses in banking websites to display contents from any arbitrary URL within a frame.

Fraudsters use Cross-Frame Scripting to inject their own content into legitimate websites and steal information for unsuspecting users.

Last week it was discovered by internet research company Netcraft that fraudsters exploited a facility which allowed them to display their own content within the Charter One Personal Online Banking secure site at The second incident was discovered at the start of this week and affects the site.

The page is served over an SSL connection and the browser displays a padlock and geniune certificate that confirms the site belongs to Charter One Financial. The phisher's site also uses SSL to avoid warning messages being displayed when a user visits the parent phishing URL.

Paul Mutton, an internet services developer at Netcraft said Cross-Frame Scripting attacks are "very easy for fraudsters to exploit and very easy to notice the opportunity".

"These flaws are easy to fix, but as applications get more complex they get easier to overlook," said Mutton. "Banks should test these websites before going live and should continue testing afterwards."

Charter One Bank has since fixed the problem and said in a statement it "will never email customers and request that they send personal information through the internet, nor through any other means."

As reported in SC Magazine here, phishers are increasingly using cross-site scripting to cheat internet users out of money and steal identities.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.