RSS

Phish Shut Down At American Express

David Utter
Staff Writer
2006-07-28

Insider Reports RSS Feed

Someone who did the coding for the American Express website made an error that allowed a redirect to load a fake Italian bank website into a frame on American Express' search page.

Users should be able to trust a search result on a prominent financial company's site. When that site has not been coded as securely as it should be, the result could leave visitors open to a phishing attack, and put their personal data at risk.

The McAfee SiteAdvisor blog discussed how a SiteAdvisor engineer discovered how that was happening at AmericanExpress.com. A phishing feed being reviewed contained a link to American Express; the link had JavaScript in the URL.

This JavaScript loaded a fake Banka Intesa site into the American Express frame. SiteAdvisor observed the fake site was the website at www.cgieicg.com (no longer online). They likewise worked with American Express to plug the hole and shut down the potential exploit.

When a scammer can make a phishing site look and act as much like the real thing as possible, the chance someone will submit their login credentials increases. The worst of the scams resembles a real site, collects login information, submits that to the real site after grabbing a copy of it, and sends the user to the legitimate destination.

Here's how the unknown criminals worked the American Express flaw, as uncovered by Dan Nunes at SiteAdvisor:

Dan found that the vulnerability arises from the fact that the query string passed to the search is displayed within the resulting page. Phishers exploited this fact to insert their own code onto the page. Since the resulting page appears to be a legitimate page within the American Express site, an unsuspecting user that fails to notice the "Search results" heading on the page or the formatting errors may be fooled into thinking he or she is sending information to a legitimate banking portal.

This vulnerability is especially glaring when one considers the fact that virtually any script could have been executed by this method. A phisher could have created a fake login form for American Express itself, leaving little clue that a user was giving his or her information to a third party.

People can avoid problems by typing in the URL to a financial or commerce site into the browser, rather than following a link from what looks like an authentic email. If there is any doubt, customers can always call a bank or credit card issuer by phone using the number that appears on a mailed statement or credit card to verify a request.

---
Tag: phishing

Add to

Del.icio.us |

Digg |

Yahoo! My Web |

Furl

Get all the updates in RSS:

About the Author:
David Utter is a business and technology writer for SecurityProNews and WebProNews.

More news_security_news Articles

Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Featured On:

article resources

WebProWorld.com

•	Get in-touch with industry experts and leaders
•	Post your site for review by expert and peers
•	Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com


Titan Quest Forum The #1 Titan Quest forum
Halo 3 Forum The best Halo, Halo 2, Halo 3 forum
Nintendo Wii Nintendo Wii news and views
Mac Software The best in OS X freeware
Graphics Forum Your source for graphic tutorials