Phishers script their way into online banking

An easily remedied website loophole may be leaving banks and other companies that do business online more susceptible to phishing attacks, according to Netcraft.

Online criminals are increasingly using cross-site scripting flaws to inject their own code into legitimate web page URLs, the network security services company said in a note posted on its site on Monday. With these sites, the attackers can try to dupe unsuspecting consumers into falling for phishing scams.

Paul Mutton, an internet services developer at Netcraft, said: "The majority of phishing websites are only semi-believable, and end users are starting to see through those. But with cross-site scripting, people are more likely to fall for the scam, because the URL actually belongs to a real business. It just has content added by a third party."

According to Netcraft, cross-scripting vulnerabilities in the server applications that support many business sites cause some web pages to ignore various kinds of data - specifically, JavaScript code. That creates an opening for criminals to push their own JavaScript programs onto legitimate web pages.

Recently, customers of Citizens Financial Group were the targets of such an attack, Netscape said. The scam involved a phishing email that exploited a scripting program on the bank's website to build an imitation site that attempted to trick customers into sharing their personal data.

Citizens Bank representatives did not return calls seeking comment on the attack.

Netcraft's Mutton said companies should expect to see more of the scripting threats, unless businesses carefully review server applications to eliminate the scripting glitch. Doing so would be more time-consuming than complicated, he said.

Mutton also said banks, the most common targets of phishing threats, have done little to remedy the cross-site scripting problem.

"This is an opportunity that allows criminals to do a pretty good job at misleading consumers, and it's a large problem that the banks really don't seem to be tackling head-on," Mutton said.

Mutton said the scripting attacks differ from the URL-spoofing campaigns that have targeted companies such as online auctioneer eBay. Those ploys typically redirect people to sites that can be discovered as fraudulent with some poking around, he said. By contrast, scripting errors allow scammers to add content such as a fake password log-in system on top of a page that appears completely legitimate.

Cross-scripting flaws can also be used to construct sites that steal the cookies saved on web browsers. Cookies typically contain private data such as website passwords or other internet usage information.

Mutton said the lion's share of the attacks being created using the technology loophole target financial-services companies. The researcher believes that there is no reason to believe that scammers will change their methods any time soon.

"[Cross-site scripting] can happen on most any website; banks are just a big target," he said. "But it's a pretty simple equation: banks are where the money is, so that's where the criminals are looking for any opening they can find. And this is a big one."

Matt Hines writes for CNET News.com.