Capital One's website inadvertently assists phishing
Capital One's website has an unchecked redirect. I'm used to seeing
these exploited by slashdot trolls (e.g., sending people to the goatse
picture when they think they're going to microsoft.com), but this is
the first case in which I've seen one at a bank's website.
I emailed the Capital One people twice about it, but received only
form-letter responses: one telling me that it was a phishing scam, the
other telling me that a response would be forthcoming in 72 hours
(this is when I mentioned bugtraq, which I suspect sets off a
keyword-based response). It's now four business days later, so I'm
assuming that a response is not forthcoming. I thought the bugtraq
crowd might be interested -- it would be nice if the security people
at the banks and credit card companies on this list could rework the
redirect scripts on their websites to only redirect to trusted
URLs. (Incidentally, as of this emailing, the original phisher appears
to have been shut down, but the redirect is still unchecked.)
Try it:
http://www.capitalone.com/redirect.html?linkid=SECURITY+VALIDATION&dest=http://en.wikipedia.org/wiki/Phishing
Permalink: http://barillari.org/blog/computers/internet/conephishing.html
best,
--Joe
----- Forwarded message from Joseph Barillari <redacted> -----
Date: Wed, 13 Apr 2005 16:29:45 -0400
From: Joseph Barillari <redacted>
To: webinfo@xxxxxxxxxxxxxx
Subject: Re: Capital One website inadvertently assists phishing
Also -- in the interests of protecting people from this bug, I'm going
to forward this message to the bugtraq mailing list at 4:30pm EST
tomorrow. best, --Joe
On Wed, Apr 13, 2005 at 01:54:51AM -0400, Joseph Barillari wrote:
> Hi. I received this phishing message earlier. Unusually, Capital One
> is _helping_ the phishers: they're taking advantage of an unchecked
> redirect script. When a user clicks on the link below, they get
> redirected _by_ Capital One to the phisher's site. I'd recommend that
> you change that redirect script so it starts checking the destination
> link immediately, and shut down the phisher.
>
> best,
>
> --Joe
>
> ----- Forwarded message from "Capital One Representative: Kristina Barker "
> <Kristina.Barker@xxxxxxxxxxxxxx> -----
>
> From: "Capital One Representative: Kristina Barker "
> <Kristina.Barker@xxxxxxxxxxxxxx>
> To: redacted
> Subject: Error: Your Capital One Account Tue, 12 Apr 2005 22:25:00 -0800
> Date: Wed, 13 Apr 2005 03:25:00 -0300
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.9 required=3.0 tests=BAYES_60,NORMAL_HTTP_TO_IP,
> RCVD_HELO_IP_MISMATCH,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
> RCVD_NUMERIC_HELO,URI_REDIRECTOR autolearn=no version=3.0.2
>
> Spam detection software, running on the system "bigbox.barillari.org", has
> identified this incoming email as possible spam. The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email. If you have any questions, see
> the administrator of that system for details.
>
> Content preview: Capital One is committed to maintaining a safe
> environment for its community of buyers and sellers. To protect the
> security of your account, Capital One Bank employs some of the most
> advanced security systems in the world and our anti-fraud teams
> regularly screen the Capital One Bank system for unusual activity.
> [...]
>
> Content analysis details: (5.9 points, 3.0 required)
>
> pts rule name description
> ---- ---------------------- --------------------------------------------------
> 0.0 URI_REDIRECTOR Message has HTTP redirector URI
> 2.2 RCVD_HELO_IP_MISMATCH Received: HELO and IP do not match, but should
> 1.2 RCVD_NUMERIC_HELO Received: contains an IP address used for HELO
> 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL
> 0.4 BAYES_60 BODY: Bayesian spam probability is 60 to 80%
> [score: 0.7218]
> 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
> [204.210.183.22 listed in dnsbl.sorbs.net]
> 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
> [204.210.183.22 listed in combined.njabl.org]
>
>
>
> Content-Description: original message before SpamAssassin
> Date: Wed, 13 Apr 2005 03:25:00 -0300
> From: "Capital One Representative: Kristina Barker "
> <Kristina.Barker@xxxxxxxxxxxxxx>
> To: 2bslashdot@xxxxxxxxxxxxx
> Subject: Error: Your Capital One Account Tue, 12 Apr 2005 22:25:00 -0800
> X-Spam-Score: 10.407
> X-Spam-Flag: YES
> X-Spam-Level: ********** (10.407)
>
> Capital One is committed to maintaining a safe environment for its
> community of buyers and sellers. To protect the security of your account,
> Capital One Bank employs some of the most advanced security systems in the
> world
> and our anti-fraud teams regularly screen the Capital One Bank system for
> unusual activity.
>
> We recently have determined that different computers have logged onto your
> Capital One Banking account, and multiple password failures were present
> before the
> logons. We now need you to re-confirm your account information to us. If this
> is
> not completed by April 14, 2006, we will be forced to suspend your account
> indefinitely, as it may have been used for fraudulent purposes. We thank you
> for
> your cooperation in this manner.
>
> In order to confirm your Online Bank records, we may require some specific
> information from you.
>
>
> Click below to verify your account
>
> http://www.capitalone.com/redirect.html?linkid=SECURITY+VALIDATION&dest=http://24.232.117.142/bin/capitalone.com/
>
>
> Thank you for your prompt attention to this matter. Please understand that
> this is
> a security measure meant to help protect you and your account.
>
> We apologize for any inconvenience.
>
> If you choose to ignore our request, you leave us no choice but to temporaly
> suspend
> your account.
>
> Thank you for using Capital One Bank!
>
>
>
>
> ----- End forwarded message -----
----- End forwarded message -----