The page being exploited on the SunTrust site is a framed page, an HTML structure that displays the text of one web page within another. SunTrust was using the technique to display third-party content from Shareholder.com, which provides outsourced investor relations information for corporations. The page was linked from SunTrust’s home page with the following URL:
Visitors with knowledge of HTML can easily recognize that the page at the first URL is inserting the second page into a frame. The phishers constructed a similar URL, using the “
source=” technique to insert a web page from a different remote server. The URL is obfuscated in the e-mail, making it appear to be a legitimate link to the SunTrust web site. A similar obfuscation of the link on SunTrust’s site would have made the vulnerability less obvious. Having the ability to hijack the financial institution’s own site is a big step forward for fraudsters, as it makes their attack much more plausible.
SunTrust Banks, Inc., is headquartered in Atlanta, Georgia, and is among the largest commercial banks in the U.S. As of June 30 SunTrust had total assets of $128.1 billion and total deposits of $85.5 billion. In a statement on its web site, Suntrust says “security is the most important issue SunTrust faces in making Internet Banking available for our customers. Using industry standard security techniques ensures that your personal financial information remains confidential.”
Opportunities for fraudsters to inject their own forms into banks and other financial institutions’ sites are common, but until now, not widely taken advantage of and customers of internet banking systems can expect a spate of similar attacks to follow.
Netcraft provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications.