Online banking sites are under active scrutiny by fraudsters, who are keen to detect and exploit opportunities to run their frauds on banks’ own sites. Taking advantage of mistakes in applications and web site management, fraudsters have been able to run phishing scams on sites belonging to Visa, Mastercard, SunTrust, Charter One, and Citizens Bank.
Typically this has been achieved through use of cross site scripting and redirection URLs present on banks’ sites. Open redirects have not previously been thought of as a security risk, because they do not allow access to a company’s computer systems. However, fraudsters are actively using open redirects to facilitate their phishing scams. These tactics are rather analogous to borrowing a bank’s sign and premises to execute a sting.
Redirection URLsRedirects are quite abundant on large web sites, where server side scripts are employed to redirect users to different parts of the web site. Redirecting a user in this manner (as opposed to linking directly to the target URL) offers two key advantages:
- The user does not need to be redirected to the target URL immediately. For example, the user could be presented with a login form which then redirects the user to the target URL after they have logged in successfully.
- The company can easily track how many times a user visits a particular target URL, even if it is on an external site. This is particularly useful for tracking clicks on adverts or affiliate links.
Risks of Open RedirectsOpen redirects found on banking or financial web sites are liable to be exploited by fraudsters to create a link to their site via the open redirect on the bank’s web site. This makes the link look genuine, as it will appear to point to a page on the bank’s web site and is particularly plausible if the bank’s site is served using SSL, as the bank’s SSL certificate will be used. When a user clicks on the link, they may be unaware that they have been redirected to the phishing site.
ExamplesFraudsters have previously exploited an open redirect on the eBay web site:
At a casual glance, this URL would appear to be genuine and one would certainly expect it to display a page belonging to eBay. However, the function of this page was to redirect to a different URL that could be embedded within the eBay URL.
Because this page allowed redirection to arbitrary URLs, a fraudster exploited this weakness by sending out many mails asking people to visit this URL to update their eBay account details. When a user clicked on the link, they were redirected to a phishing site at http://18.104.22.168/UpdateCenter/Login/ . The IP address in the original URL was deliberately obfuscated by the fraudster to make it look less suspicious.
Another recent attack saw fraudsters exploiting an identical vulnerability on the Visa web site:
The URL redirected users to a phishing site hosted at http://22.214.171.124/.verified/ , and used a common browser vulnerability to spoof the real URL in the address bar.
While cross site scripting and open redirects are both attractive to fraudsters, open redirects are – if anything – more pervasive and even easier for fraudsters to locate and exploit. Netcraft now provides a service to detect these and offer advice to banking and financial sites to reduce their level of fraud facilitation.