Feeds

Barclays scripting SNAFU exploited by phishers

Read trawl about it

Remote control for virtualized desktops

Online scammers are exploiting a redirection script on Barclays' site to make fraudulent emails look more convincing. An alert Reg reader noticed the trick in scam emails he received.

We have yet to hear back from the bank, despite notifying Barclays of a potential problem last Tuesday (8 August). Meanwhile, the exploit (details of which we are withholding) remains open to abuse.

A similar attack, again ostensibly pointing to Barclays' website, but in reality directing surfers towards a phishing net, has been reported by other fraud watchers (see here). The other scams detailed by anti-phishing website MillerSmiles have a URL that more obviously points to something that's nothing to do with the targeted organisation (example here).

Our reader describes how the tactics used in the Barclays scam might trap the unwary: "Barclays Bank's website has a security flaw which will allow a phisher to provide a link which appears to be a legitimate Barclays URL, but actually redirects to fraudulent site. It seems very irresponsible to not do any checking that a URL is internal, or legitimate, before redirecting," he said.

eBay was the target of a similar attack last year. In that case, it took eBay some weeks to address the flaw. We can only hope that Barclays moves quickly to block off the possible route of attack.

Web security firm MessageLabs said redirection attacks that exploit security flaws on target websites are growing in prevalence. "Barclays is not the first. We have stopped several of these attacks in the past year," it said. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.