Several bank Web sites contain security flaws that can be exploited and used by online fraudsters to launch convincing "frame spoofing" attacks, according to a study by Germany's Heise Security.
The study shows how phishing fraudsters could overlay the Web sites of NatWest, Cahoot, Bank of Scotland, Bank of Ireland, First Direct and Link with spoof frames. This allows a fraudster to mimic a legitimate site by inserting a frame within the Web site's window.
The same type of attack is also possible against the Web site of the bank-sponsored police unit Dedicated Cheque and Plastic Crime Unit.
Heise says one reason that banks have not taken preventative measures to block these tricks is that many phishers continue to use relatively crude attacking methods. But the methods demonstrated in the study cause particular concern because a well designed phishing trick could be impossible to recognise, even when the user examines the address field and certificate details.
However Heise says this problem is well known and some banks - such as HSBC - have implemented measures to protect customers. Although the HSBC site works with frames, the bank's developers have added some JavaScript code that checks for the integrity of the frameset. If a foreign page is detected, the user is directed to an error page.
Since releasing the results of its tests, Heise says NatWest has made security improvements that means its site is no longer easily susceptible to exploitation.