A Georgia-based bank found its Web site turned into a phisher, but the hijacking was unraveled when some of the phishing emails landed in the lap of a British Web-monitoring company.
Suntrust was victimized by a programming trick that turned its Web site into a tool for phishing attacks – emails made to resemble the bank's actual correspondence, trying to trick customers out of account information.
But some of the fake mails went to Netcraft, which determined that the emails didn't come from Suntrust's own servers and that extra characters were in the address line of the URL to which the emails linked.
Netcraft determined that the hackers involved in the scheme overlaid the actual Suntrust page with altered elements to make it look like a legitimate account verification page. Decoding the alterations turned up a link to an alternative server controlled by the hackers, according to several published reports.
The technique is known as cross-scripting, and lets outsiders add or alter actual Web pages with their own text and links, Netcraft said, adding that the problem is exploited when the actual site's operator's information processing code isn't written specifically to exclude outside data.
Netcract advised Suntrust of the anomaly and the hijacking, and Suntrust promptly modified the site to keep the trickery from working. Anyone getting one of the Suntrust phish now gets a legitimate login for the bank's actual Web site, a login having no ties to the hijackers, who remain of undetermined identity and origin.
Cyberspace has actually been bracing somewhat for that kind of hijacking attempt. Next Generation Security, another British computer security company, warned in September that up to nine of ten bank Web sites could be prone to that kind of phishing hijack.
