Barclays scam email exploits new IE flaw

Barclays scam email exploits new IE flaw

Summary: Con artists have begun using an address-hiding flaw to trick Barclays' online banking customers into revealing their personal details

SHARE:
TOPICS: Security
3

Customers of Barclays and other UK banks have been targeted by fraud emails that exploit a recently discovered vulnerability in Internet Explorer allowing attackers to disguise Web addresses, according to security experts.

The Barclays scam email appears to come from the bank, and directs customers to a site posing as Barclays' online banking Web site, ibank.barclays.co.uk. The scam site then asks people to enter their banking details. Other scam emails appearing during the weekend also used this technique, known as "phishing", along with the same IE bug. The organisations targeted include Citibank, Lloyds and PayPal.

Banking scam emails are nothing new, but the use of the IE flaw represents an innovation, according to Internet services firm Netcraft, which analysed the Barclays message.

"As part of our continuing commitment to protect your account and to reduce the instance of fraud on our Web site, we are undertaking a period review of our member accounts," the scam email reads. "You are requested to visit our site by following the link given below. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the Barclays IBank Experience."

The bank last week warned users not to reply to any such emails or follow links that they contain. "Barclays is in no way involved with this scam email and the Web site does not belong to us," the bank said in a security alert on its site. "Barclays does not send emails to customers requesting your security or any other confidential information."

The bank is requesting users to forward fraud emails to internetsecurity@barclays.co.uk.

The email uses a glitch discovered last month that allows a specially crafted URL to load a browser window that appears to be displaying any address the attacker wants.

For example, the source code of the Barclays fraud email contains the link:

http://ibank.barclays.co.uk%01%01%01%01%01%01%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01@%77%77%77%2E%6E%65%77%79%65%72%73%6
D%2E%63%6F%6D:%38%30/%31%2C%2C%6C%6F%67%6F%6E%2C%30%30%
2E %70%68%70

In Internet Explorer, this is designed to display the address "ibank.barclays.co.uk" while actually directing users to a site, now offline, that was hosted by Affinity Internet. The characters such as "%01" encode the real address, which is "http://www.newyersm.com:80/1%2c%2clogon%2c00.php".

The flaw has the potential to undermine users' ability to determine what they should trust, eEye security research engineer Drew Copley said at the time of its discovery.

"If [the address is] appearing legitimate like that, you can get people to download anything, run anything, or get a password or whatever," he explained.

ZDNet Australia's Patrick Gray contributed to this report.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • If you have more than one bank account (which I have) why not use one of them for internet purchasing only and simply go on line and transfer the exact ammount needed to make the purchase. That way, surely, the account would be empty most of the time (except for the few minutes it takes to make the purchase), so the risk of a third party using your bank details would be severely limited.

    Troy
    anonymous
  • "The bank is requesting users to forward fraud emails to internetsecurity@barclays.co.uk"

    nope, they have now pulled this link from their website and are bouncing all emails sent to that address.

    that didn't last long did it ?
    :-)
    anonymous
  • just to let you know the email address that barclays has supplied has started refusing messages.
    anonymous