Phishing trip at major banks causes security problems

For those unfamiliar with the term, phishing is using web sites or spam to elicit credit card numbers (or other similarly interesting, mostly financial data) from people. It has been around for a while, but a recent article from InfoWorld does a good job of explaining why this new breed of attack is so potentially confusing to users and how stupid it is that the sites that allow it aren't more responsible.

In particular, an exploit (jargon for the way to exploit the user of a site, program, or service) has been discovered and demonstrated by the creator of which demonstrates how a user can be fooled into thinking that they are at a legitimate site for a credit card company (such as MasterCard).

The mechanism is much more difficult to detect than most of the ones previously used, because it uses flaws in the original web site to display content from other web sites. There are functioning examples on the aforementioned site.

Using the "old" exploits, you could usually look in the URL field of your web browser and notice that the wrong web site was being accessed (such as a misspelled version of the site you would expect to go to, or for the more brash versions, a completely different site). However, this current series of exploits looks like the web site that the user would expect to go to, by using a flaw in the original web site design.

The appropriate fix is for the sites in question to tighten up their handling of data coming from the user, which shouldn't be that difficult to do, but they seem to be less than responsive about doing it.

So, in the mean time, be careful of spam (probably appropriate to avoid clicking on links in email that appears to be from financial institutions) and if you need to go to your bank, credit card company, or other financial web site, make sure you type in the URL yourself (or use a bookmark that you, yourself, created).

Fortunately, nobody has been using these attacks for hijacking (recently).