Bicycle Bandits And Phishing

Further to my post about the phishing incident at SunTrust, you don’t always need to be that sophisticated to rob a bank. All you need is a bicycle.

Late last month, the Richmond Times-Dispatch in Virginia reported that a man entered the SunTrust bank in Richmond “shortly before 11 a.m. and made a verbal demand for money. He displayed no weapon. After receiving an undisclosed amount of cash, the man fled on a bicycle heading west toward the Toys “R” Us store.” Clearly a man keen to get his kids’ Christmas shopping out of the way ahead of the rush.

It may not be the first time the Bicycle Bandit has hit. The Dispatch reports: “Police are investigating whether the man is the same person who robbed the Bank of Richmond at 8905 Fargo Road on Nov. 15. In that case, the robber also escaped on a bicycle.” Quite a getaway.

Could this be the same guy behind the phishing attack? Was he just probing the bank’s vulnerabilities, and decided to opt for cross-site scripting rather than a bicycle-borne attack?

The Phishing War Escalates

The guys at Netcraft, a British security consultancy that has done a good job of tracking, exploring and warning about phishing, say they’ve come across the first case of cross site scripting being used in the wild for phishing purposes. This isn’t as arcane as it sounds, since it allows phishers to make their lure appear to even the wariest eye to be from a legitimate source — your bank.

Usually the weak link in a phishing email is the link itself. However much they disguise it phishers can’t get away from the fact that they are trying to lure the victim to a site that is not the bank or other institution they’re pretending it is. Cross site scripting lets them do so.

This is done by phishers exploiting a vulnerability to ‘inject’ their own code into the legitimate website. It’s this code that the link will appear to go to in the phishing email — and so will begin with a legitimate bank URL — www.citibank.com, or whatever. The URL will then, without the victim’s knowledge, load some JavaScript from somewhere else to redirect the user to another site. This is what some fraudsters have done with a SunTrust bank phish, which Netcraft says was sent in large numbers in recent days. Netcraft says SunTrust has so far failed to reply to their emails:

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

If true (and I’ve no reason to doubt it; Netcraft know what they’re doing) this is a pretty sad state of affairs. I have two main concerns: Firstly that banks still don’t seem to understand what they’re dealing with, and don’t respect security companies enough to keep up a dialogue with them so these problems are nipped quickly in the bud, and secondly, I suspect these kind of attacks render most ‘anti-phishing tool’s useless. This is not only annoying, but dangerous.

Something I’ve noticed in recent months is a shift on the part of anti-virus manufacturers to push out software that will protect the user from phishing attacks. This is just bad marketing, and foolish. Nothing can protect the individual from phishing attacks than their own wariness and savvy. To suggest tools can will just give people a false sense of security. Examples like this SunTrust case prove the point, which I’ve banged on about for nearly a year now, that phishing is a war of escalating technology and that pushing out some feeble toolbar and suggesting it will protect the user from all such attacks is irresponsible, and thoroughly underestimates the scale of the problem and the kind of adversary we face.