Frame spoofing
Our first example concerns the on-line banking login page of the National Westminster Bank. The standard login page can be seen in a separate window by clicking here: Open. The small padlock icon at the bottom right of the window shows that the page is SSL secured, and clicking on the icon brings up the certificate. The certificate details are shown positioned over the main login screen in the following image:
Now, click on the following link which will insert a demo page into this frameset: Insert. This inserts a notification from heise Security into the Nat West page. In the screenshot below, the result of this is shown, together with the certificate details for this new page as before. Notice that the certificate details are the same as in the previous shot, with the real Nat West page. Not even this gives a clue that something improper has happened.
Notice also that the address field still shows the correct address of the Nat West login page and the lock icon at the bottom will still show the intact encryption.
[Update 24.9.2006] Nat West changed their page, so that this trivial demo does not work any more. As their page is still using frames, it is still vulnerable to frame spoofing attacks (as of 26.9.2006). But because these attacks requires advanced techniques, heise Security is not publishing a demonstration for this attack.[/Update]
Real attackers could easily automate the above two steps and insert a page that mimics the look and feel of the real Nat West page. It would be easy for an attacker to copy the bitmaps and other details that make up that real page, and use these to construct one that appears identical. The user could then be asked for data such as PINs, TANs and passwords, and every such piece of information could be sent directly to the attacker's server.
So, have we hacked the Nat West login system with this demonstration? Not at all. All that appears on screen is the result of HTML instructions that are processed in the user's computer. The server running the login has played no part in this, and would be completely "unaware" that anything untoward had been happening. The vulnerability that allows this demonstration, and perhaps a real attack, to succeed, lies in the HTML code for the login that is sent to the user's computer by the Nat West server.
The National Westminster is not alone in having such a vulnerability. The following banks and associated organisations also possess a similar vulnerability. With each of these, click on the "Open" link in order first to see the normal page, and then click on the "Insert" link to see the heise inserted page:
The Bank of Scotland (Open Insert).
The Bank of Ireland (Open Insert).
Dedicated Cheque and Plastic Crime Unit (Open Insert ).
Perhaps one reason that these banks have not taken preventative measures to block such tricks is that many phishers continue to use quite crude methods and yet are still managing to trick sufficient users to make their effort worthwhile. The methods we have demonstrated here are a little more sophisticated, and cause particular concern because a well designed phishing trick could be impossible to recognise even when a user takes the trouble to examine not only the page itself, but also the address field and certificate details.
These problems have been known for many years, and some banks have taken the trouble to protect their customers at least from this level of trickery. A good example is the UK's largest bank, HBSC. Although its site works with frames, the developers have added some JavaScript code that regularly checks for the integrity of the frameset. If a foreign page is detected, the user is directed to an error page, and given some very sensible advice how to proceed in the future:
- Bookmark & Share
