Study: MasterCard, others unwittingly help 'phishers'

Leading financial institutions have adopted a more aggressive attitude toward online identity theft cons known as "phishing scams" in recent months. But companies, including MasterCard International Inc., may be unwittingly helping phishers trick online shoppers, says a new report from a U.K. Web developer.

A test of leading financial services Web sites, including sites run by MasterCard, NatWest and Reuters Group PLC revealed that many sites have loosely protected features that scam artists can use to mask their own malicious Web sites, hijacking the name and Web address of established institutions, said Sam Greenhalgh, who is 19 and operates the Web site Zapthedingbat.com. (See: http://www.zapthedingbat.com.)

Greenhalgh is responsible for discovering a vulnerability in Microsoft Corp.'s Internet Explorer Web browser known as the "%01" vulnerability. That security hole, since closed by Microsoft, was widely used in phishing scams to disguise the location of phishing Web sites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at zapthedingbat.com on his latest findings.

Phishing scams are online crimes that use unsolicited commercial, or "spam," e-mail to direct Internet users to Web sites controlled by thieves, but are designed to look like legitimate e-commerce sites. Users are asked to provide sensitive information such as a password, Social Security number, bank account or credit card number, often under the guise of updating account information.

The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh said. Indeed, the trick works with most popular Web browsers. Instead, poorly designed and insecure features on leading Web sites that contain "cross-site scripting" vulnerabilities are to blame, he said.

Greenhalgh uses the example of an "ATM Locator" feature on MasterCard's Web site. The ATM Locator was designed to help MasterCard holders locate cash machines that accept MasterCard. Users input a location, including a country and street address, and the Web site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability in the feature, Greenhalgh was able to inject his own HTML (Hypertext Markup Language) into the fields used by the ATM Locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information.

With the Web browser address bar reading "http://www.mastercard.com" and the MasterCard logo adorning the page, even sophisticated Web surfers would be hard put to prove that they were not interacting with the credit card company instead of scam artists, Greenhalgh said.

"The danger for Joe Public is in increasing his susceptibility," Greenhalgh said. "Phishing attacks have been around a long time and usually they're very easy to spot -- you can look in the address bar and see you're not at mastercard.com. But these flaws allow phishers to actually use the legitimate site. As a user, it's very hard to tell," he said.

MasterCard declined to comment for this article. NatWest did not immediately respond to a request for comment.

Web search features are a common source of cross-site scripting flaws, especially those that echo back the requested search word or phrase to users, Greenhalgh said.