300+ Bank homepages hacked and redirected!

300+ Bank homepages hacked and redirected!

Summary: A little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300. The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

TOPICS: Banking

Goldleaf Technologies, a unit of Goldleaf Financial Solutions, Inc. which provides homepage services for financial institutions and banks had one of its servers hacked last Thursday on May 25th.  I was initially alerted to this by a concerned customer who received an email notice from his bank that ALL customer passwords had been reset to their default password.  Several news outlets covered the story by merely posting the Goldleaf official press release verbatim which characterized the breach as a "phishing incident" so the details were initially murky.

The AP Wire was one of the few that characterized the incident as a security breach and were quoted by a Goldleaf spokesperson that 150 to 175 sites were affected.  When I asked Goldleaf's spokesperson, he characterized the AP information as wrong and told me that a little more than half of the 600 hosted bank sites were modified to redirect traffic which puts the total number of Banks affected at over 300.  The homepages of those banks were modified so that they would direct all online banking traffic to a malicious site in Madrid Spain to collect login credentials from unsuspecting customers.

While this is technically similar to phishing, it isn't the same thing because phishing normally involves spoofed email that purport to be from the bank when they're really from criminals that send emails with legitimate looking URLs that instead send you to a malicious webpage.  In this case, the actual bank homepage is what's redirecting you to the malicious site which could only happen if the bank's homepage was compromised.  This tends to be a bit more dangerous since customers usually expect some safety when they're surfing the real banking site.

Goldleaf representatives were extremely careful not to use the word hack and instead focused on the word "redirect".  This isn't surprising since a company handling most of the world's Visa credit card transactions literally went out of business in the course of weeks after a hacking incident.  In Goldleaf's defense, their security administrators noticed and stopped the malicious activity within 90 minutes of the initial compromise and they immediately notified the authorities and all of the banks that they were hosting.  The problem is that Goldleaf's servers were hacked in the first place, but at least they were quick to respond.

The truth of the matter is that this type of exploit isn't a whole lot different than banks not using SSL for their online banking user login which I have been hammering lately.  Goldleaf has at least fixed their issue in a matter of hours when I still can't get banks to implement SSL after weeks.  Even when I followed up on the subject and called the major credit card companies like Chase and American Express, I was given the run-around by public relations that someone will get back to me but I haven't heard a thing in weeks.  When banks are so lackadaisical to begin with about E-Commerce security and customer data, it doesn't help the security situation and all of us as consumers end up absorbing the losses in higher costs in goods.

The banks complain about email phishing scams, but they won't even do something as simple and inexpensive as implementing S/MIME digital signatures for official email notifications to their own customers.  S/MIME is a ubiquitous standard that allows nearly every email client in the world to do strong authentication and encryption.  It seems like until there is more pressure on the banking institutions to do the right thing, they're going continue being sloppy as usual.  As a customer of one of the guilty non-SSL banks, I'm considering changing to a bank that cares a little more about security if they aren't willing to change.

Topic: Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • 2 remarks...

    And how often are you planning to be in Europe, George? :p (In Europe we can log in safe in our bank accounts.)

    That 90 minutes response time could be much longer when the 'hackers' started their hack from their living area 'somewhere' in Asia in the morning. In that case, US banks are closed and won't open for another 12 hours, thus enlarging the window of oportunity for stealing log in credentials.

    "Unless there are other safety measures in place"
    Arnout Groen
    • Ok, rub it in

      Ok, rub it in on us Americans :). Yeah yeah, I know the European banks don't do this and they often use smartcards.
      • But why..

        don't they (US Banks)use them?

        I can't believe that US banks consist of a bunch of mules, donkeys and morons.... (Well, perhaps they are on a technological level).

        In Europe, login into a bank account goes something like this:

        Username = bankaccountnumber + cardnumber
        You'll get a login code from the bank, which you enter into your identifier... You'll get a respons, which is your real login code to get acces to your bank account.

        To provide that login code a few inputparameters are necessary for an algorithem: Account number, card number, Personal Identification Number, current date/time.

        This is just an extra layer of defence against abuse. (WE use SSL). How is this done in the US?
        Arnout Groen
        • My Honest Opinion, and it hurts to say this

          The Majority of Americans fit into 3 stereo types: Fat, Lazy, and Stupid.

          Most companies work along a re-active instead of pro-active standard. This involves everything. until something goes wrong, why should we fix it? Most Americans don't care to change their ways either. Consumers are as bad as the companies they buy from. They choose to eat out more rather than cook at home. And if they choose to cook at home, they have to have something that requires little more than a microwave or possibly use the stove.

          Until Americans and I mean all Americans, refuse to change their instant gratification mentality, they will continue to become lazier and more complacent and lose their #1 spot in the world.
          • LOL

            You type the truth... and yet someone will come and bash you for it and that is the pity!
            Linux Advocate
          • Oh, that's why...

            One of our politicians is going to work at the American Enterprise Institute.

            A big chance her deception and deceit won't be noticed by Americans.
            Arnout Groen
          • Oh We will notice

            We just will be too lazy to care or do anything about it. In the US, Stupid is really the wrong way to describe Americans, I just use it hoping that some one will try to prove me different.

            The most any Americans would probably do is complain at the water cooler. Past that, Americans just don't care to act. Usually too inconvienient. Even if they do, they are easily misled to assume that a solution is an easy one. Such as with Gas Prices, they think that Bio fuels or Hybrids will make the evil oil companies go away. Some of them don't care to consider moving closer to work or walking, or finding some mass transit system. I am amazed that over in Japan, they have huge amount of parking spots at manufacturing facilities for bicycles. At my place, even though I live right out side of town, there are a total space for 10 bikes. This is a factory that employs over 1000 people. I think I seen 3 bikes at the most used. One of the people who uses it is Chinese. Wonder why that is.

            Americans can't use common sense to fight the battle of the bulge. They would rather go spend money at the gym rather than walk to work. Guess which one would save more money?

            I know that this rant is lengthy, but I can't help but be pissed at the gross complacency of my nation. After all, I want to take a girl out this weekend, I have to spend $50 dollars just to get her there and back because Joe Blow is too lazy to walk to work. I would rather spend that money on the hard working waittress that will be serving me. Or maybe a new iMac just to argue with George more on that subject.

            Another example that continues to piss me off is the cities of the US. People get sick of a neighborhood looking trashy, so they move just outside of town to a newly developed suburb, then it gets trashed, and they move to another suburb. Soon you have 12346239147 trashed suburb and a dying downtown and you can't figure out why downtown can't get business, rent apartments, or look decent. Cityfolk, Fix your neighborhoods up before moving out of them. New York City is making great strides to fix up alot of their neighborhoods. St. Joseph Missouri is another place that is trying to promote cleaner neighborhoods. Take up after them. Then quit sprawling and get a mass transit system.

            One last thing that I wish would make a comeback is the railway system. I think that would help transportation through most of America. Our rails are crap and they need to be fixed.

            Egad, with all that wind, perhaps I should take a stab at politics.
          • Well...

            Enjoy the weekend with you're girlfriend, but get used to spending money if you're building up a serious relationship. (E.g: Why spending money on a new Imac, We need to redecorate the house or you/i need to buy new clothes)

            Maybe it's cheaper to date George ;-). After all:
            He got 2 jobs, can pay for his own mealand hardware and can participate in a dinnertable discussion about hard/software.

            NO HARD FEELINGS George... (just to make sure)

            About cleaning up your neighborhood; I agree on that point, but remember that's an educational issue. If children don't learn to clean up their mess, how do you think they will act as grown up adults?

            About the railway system: What's the chance they'll improve. From what i know about the US, probably zero. That is, as long as you're (US) airlines are selling tickets at dump prizes and oil and gas are reletively cheap. (In Europe we pay 1.5 US dollars a litre.)
            Arnout Groen
          • nice rant

            So, are you one of the other 2 bikes at your work, or are you just full of crap about how other people are the problem?
          • I am part of the problem

            I won't deny that I am not part of the problem, but I am slowly trying to fix my problem. If I set the example, will I lead the way? Probably not, but for those who do, I gladly cheer on.

            If I haven't given up my car, you may ask what do I do to help become less of a problem. I walk to the local taverns instead of drive, which saves on gas and DUIs. They are about a mile away. I walk to my gym, which is about half a mile away. I cut down on using electricity by not watching the tele and reading a good book instead, "Hacker's Handbook" was last night. I don't eat out as much as I used to, which cuts out on the economy, but is better on my health. I don't own an SUV, but instead a Super Charged car, which I guess is still part of the problem. I refuse to drive a hybrid though, I feel that the long term effects of the battery are not any better for the environment than the gasoline engines.

            I do work out more and strive to expand my knowledge by learning Nihongo written and spoken. Still having a tough time on the Kanji Characters. My goal is also to learn Hangul and Espanol.

            So... Am I fat, lazy, and stupid. Sure, but atleast I am making an effort to counter that.

            I figure I will be ready to start biking to work some time in July. I want to be in shape first.
          • Wow! You are so on

            the money!!!! Well put observation.
          • yup, too true, and it DOESN'T hurt for me to say it

            I am sick and tired of the average American's mentality. The average American wants EVERYTHING served up on a silver platter, and doesn't want to work even ten seconds for it.
            Not only that, but on top of it, Americans have this elitist attitude like they're better than the rest of the world, and "rightfully" so. They feel like the higher standard of living America has over most other countries is because Americans somehow are just "better" people and are more "with it", and not because the US government has been aggressively raping the world since the second half of the 20th century.
            Most Americans have never even held a gun in their whole lives, and yet feel "justified" in illegally invading one country after another on the drop of a whim.
            The only reason Americans are marginally interested in politics nowadays is because finally the US government is coming to banrupt and enslave them, like it has been doing to the rest ofthe world for decades. So their interest is PURELY self-interest, and thus can't be looked at as though it's in any way noble.
            Americans are NEVER going to change their instant gratification mentality, because they don't want to, and big industry is only to happy to keep cashing in on Americans' seemingly endless indulgent desires.
            Americans value entertainment MUCH MORE than they do real freedom, which is precisely why America is being dismantled with what seems relative simplicity.

            We're coming up to the 5th anniversary of 9/11, a mass homicide carried out in broad daylight, and STILL there has not been an official thorough investigation. How can anyone possibly sympathize with a people who are OK with mass murder not being investigated? I hate to say this, but apprently Americans are deserving of more 9/11s, and they will get them at some point in the future..and considering how easily the US government was able to snooker people with 9/11, I unfortunately will not be the least bit surprised when the government fights tooth and nail to avoid an official investigation into whatever future terrorist acts occur on US soil, destroy most all the evidence, needlessly classify the rest, and then try to shame anyone that dares question whatever sorry scientifically impossible conspiracy theory the US government expects everyone to believe without suspicion..
            ..and Americans will swallow another round of horse crap like good wittle complacent slaves..
            Spicoli the Cannoli
          • You were doing fine until the last paragraph

            I don't take your dim view of Americans (I am one), but I thought most of your criticisms had some merit.

            [i]We're coming up to the 5th anniversary of 9/11, a mass homicide carried out in broad daylight, and STILL there has not been an official thorough investigation.[/i]

            Oh I see. So the 9/11 Commission was just a whitewash then? Sorry, that doesn't wash with me. The closest thing we've had to a legitimate challenge to the 9/11 Commission's findings was an investigation into a purported Pentagon-authorized operation called "Able Danger". The accusation was that the people in on the operation had gathered information about some of the 9/11 hijackers before the attack, but were blocked from sharing it with authorities who could've acted and maybe stopped the attack before it occurred. The whistleblowers on the matter didn't dispute that the hijackers were in fact the ones the government named, but rather claimed that Able Danger had information on a few of them in 2000, during the closing months of the Clinton Administration.

            [i]and then try to shame anyone that dares question whatever sorry scientifically impossible conspiracy theory the US government expects everyone to believe without suspicion..
            ..and Americans will swallow another round of horse crap like good wittle complacent slaves..[/i]

            You know I think more Americans would listen to you if you'd lay off the conspiracy theory crap. Making general statements of this nature isn't going to get you any legitimacy.
            Mark Miller
          • try learning more..

            ..yes, the 9/11 Commission WAS a whitewash, but more importantly, it was not an investigation into [i]the crime itself[/i] but rather the supposed "intelligence failures". This would be like a police department calling off an invetigation into a homicide, and instead "investigating" why police didn't respond quickly enough to the victim who called in to report a break-in, as though this makes up for investigating the crime itself.

            [i]"The closest thing we've had to a legitimate challenge to the 9/11 Commission's findings was an investigation into a purported Pentagon-authorized operation called "Able Danger"."[/i]

            Well, you see, once again if you were more informed you'd know that there were so many discrepancies in what was presented at the 9/11 Commission that [url=http://www.amazon.com/gp/product/1566565847/sr=8-2/qid=1149269212/ref=pd_bbs_2/002-4143912-8864028?%5Fencoding=UTF8][b]an entire book was written on it![/b][/url]

            [i]"You know I think more Americans would listen to you if you'd lay off the conspiracy theory crap."[/i]

            People like yourself truly make me laugh. You attack anyone that questions 9/11 as a conspiracy theorist, and yet don't even stop to think and realize that what the US government has presented as the "official version" of events is ALSO a conspiracy theory!!!..unless you can point me to all that ample freely available HARD EVIDENCE conslusively proving beyond all doubt that Osama bin Laden and Al-Qaeda were the true sponsors of 9/11..either cough up the evidence, or continue to look like a MORON.. ;-)
            Spicoli the Cannoli
          • Speak for yourself, Spicoli

            I saw a videotape the military had recovered from Afghanistan where bin Laden discusses with his cohorts how he watched the attacks on TV. In it he discussed that he knew when they were going to happen, and he knew how many planes he was expecting to hit targets.

            In an audio recording of a meeting he had with others, he discusses how he noticed that there was supposed to be a 4th plane to hit a building that didn't hit its target.

            In the videotape he also talked about how he was surprised that the towers collapsed so completely. He said he debated with his collaborators before the attack about how much damage the planes would do to the WTC. He said he expected that the floors above the crash site would collapse/fall over, but that the lower floors would remain standing. He attributed the total collapse to "the hand of Allah", crushing them.

            I saw/heard these tapes on cable news, as well as other cable outlets. I may have seen the videotape on the internet as well. I was very interested in reading the whole translated dialog, which was shown in subtitles below the video. All of their discussion was of course in Arabic, a language I'm not familiar with. So I had to count on the government's translators to understand what they were saying.

            Secondly, documents were recovered from Mohammed Atta's living quarters, which spoke in a kind of coded language about which buildings they were going to hit. One of them I remember was called something like "the ministry of defense" (the Pentagon), the other, which did not get hit, was "the house of legislation". Again, what I learned of them was what was translated from Arabic into English.

            Thirdly, I heard the story about how the airline stewardess on one of the flights that crashed into the WTC phoned in to her airline the names of the passengers who were the hijackers. She passed on the information during the hijacking, but before the crash, of course. She had the passenger manifest, and knew where they were sitting before the attack commenced on her flight. This list was then passed on to the FBI, I believe. All of the names she mentioned sounded Middle Eastern. Mohammed Atta was one of the names on her list. The government gathered up the other passenger manifests for the other flights that crashed. They took the known list from the flight attendant on the one flight that crashed into the WTC and drew connections to the other hijackers on the other flights. How they did this, I don't know. It's possible they used CIA information, but I'm just speculating. Some of the hijackers were people that the CIA had on its list of known terrorists, before the attack occurred. The problem was that the CIA had little to no relationship with the INS, the agency that handles immigration matters. Secondly, even if the CIA had information, it would've been difficult for them to act. There was a legal wall of separation between the CIA and FBI. The CIA was forbidden from taking actions within the U.S. It's the FBI's job to do that, but they're strictly in the mode of prosecuting criminals. They would have had a hard time accepting information from the CIA, since the FBI cares about proper gathering of evidence for presentation in court. In general, the government was not organized to anticipate this sort of attack. It was organized to fight the Cold War, which had been over for more than 10 years. Nobody said the government is organized efficiently.

            So yes, I'm convinced that Al Qaeda committed this act of war. You'd have to convince me of a lot of other things for me to believe that the government coordinated the attack on itself.
            Mark Miller
          • Fat, Lazy, and Stupid.

            You missed the arrogance, intolerance, and greed.

            Jack-Booted EULA
          • And everyone else is perfect I guess, especially the terrorist nations

            If anyone's lazy, the Europeans work far less than Americans. As for the other stuff, I'm sure you probably feel that the rest of the world is better, especially the terrorist nations.
          • hmmm.

            There you go jumping to conclusions and making assumptions, again.

            And what exactly do terrorists have to do with the premise presented, cupcake?

            But, come to think of it, I'd be willing to guess that they're anything but fat or lazy. Stupid, maybe, esp. the ones that get caught.

            Jack-Booted EULA
          • We can't have the terrorists getting caught now could we

            "Stupid, maybe, esp. the ones that get caught."

            We can't have the terrorists getting caught now could we.
          • There's a general difference between...

            Europeans and Americans....

            You live to work, while we work to live.

            This doesn'mean every European and Amarican lives by this rule :o
            Arnout Groen