Capital One's website inadvertently assists phishing

[Joseph Barillari <bugtraq () barillari org>]

Capital One's website has an unchecked redirect. I'm used to seeing
these exploited by slashdot trolls (e.g., sending people to the goatse
picture when they think they're going to microsoft.com), but this is
the first case in which I've seen one at a bank's website.

I emailed the Capital One people twice about it, but received only
form-letter responses: one telling me that it was a phishing scam, the
other telling me that a response would be forthcoming in 72 hours
(this is when I mentioned bugtraq, which I suspect sets off a
keyword-based response). It's now four business days later, so I'm
assuming that a response is not forthcoming. I thought the bugtraq
crowd might be interested -- it would be nice if the security people
at the banks and credit card companies on this list could rework the
redirect scripts on their websites to only redirect to trusted
URLs. (Incidentally, as of this emailing, the original phisher appears
to have been shut down, but the redirect is still unchecked.)

Try it:
http://www.capitalone.com/redirect.html?linkid=SECURITY+VALIDATION&dest=http://en.wikipedia.org/wiki/Phishing

Permalink: http://barillari.org/blog/computers/internet/conephishing.html


best,


--Joe





----- Forwarded message from Joseph Barillari <redacted> -----

Date: Wed, 13 Apr 2005 16:29:45 -0400
From: Joseph Barillari <redacted>
To: webinfo () capitalone com
Subject: Re: Capital One website inadvertently assists phishing

Also -- in the interests of protecting people from this bug, I'm going
to forward this message to the bugtraq mailing list at 4:30pm EST
tomorrow. best, --Joe

On Wed, Apr 13, 2005 at 01:54:51AM -0400, Joseph Barillari wrote:
> Hi. I received this phishing message earlier. Unusually, Capital One
> is _helping_ the phishers: they're taking advantage of an unchecked
> redirect script. When a user clicks on the link below, they get
> redirected _by_ Capital One to the phisher's site. I'd recommend that
> you change that redirect script so it starts checking the destination
> link immediately, and shut down the phisher. 
>
> best,
>
> --Joe
>
> ----- Forwarded message from "Capital One Representative:  Kristina Barker " <Kristina.Barker () capitalone com> -----
>
> From: "Capital One Representative:  Kristina Barker " <Kristina.Barker () capitalone com>
> To: redacted
> Subject: Error: Your Capital One Account Tue, 12 Apr 2005 22:25:00 -0800
> Date: Wed, 13 Apr 2005 03:25:00 -0300
> X-Spam-Flag: YES
> X-Spam-Level: *****
> X-Spam-Status: Yes, score=5.9 required=3.0 tests=BAYES_60,NORMAL_HTTP_TO_IP,
>       RCVD_HELO_IP_MISMATCH,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,
>       RCVD_NUMERIC_HELO,URI_REDIRECTOR autolearn=no version=3.0.2
>
> Spam detection software, running on the system "bigbox.barillari.org", has
> identified this incoming email as possible spam.  The original message
> has been attached to this so you can view it (if it isn't spam) or label
> similar future email.  If you have any questions, see
> the administrator of that system for details.
>
> Content preview:  Capital One is committed to maintaining a safe 
>   environment for its community of buyers and sellers. To protect the 
>   security of your account, Capital One Bank employs some of the most 
>   advanced security systems in the world and our anti-fraud teams 
>   regularly screen the Capital One Bank system for unusual activity. 
>   [...] 
>
> Content analysis details:   (5.9 points, 3.0 required)
>
>  pts rule name              description
> ---- ---------------------- --------------------------------------------------
>  0.0 URI_REDIRECTOR         Message has HTTP redirector URI
>  2.2 RCVD_HELO_IP_MISMATCH  Received: HELO and IP do not match, but should
>  1.2 RCVD_NUMERIC_HELO      Received: contains an IP address used for HELO
>  0.0 NORMAL_HTTP_TO_IP      URI: Uses a dotted-decimal IP address in URL
>  0.4 BAYES_60               BODY: Bayesian spam probability is 60 to 80%
>                             [score: 0.7218]
>  2.0 RCVD_IN_SORBS_DUL      RBL: SORBS: sent directly from dynamic IP address
>                             [204.210.183.22 listed in dnsbl.sorbs.net]
>  0.1 RCVD_IN_NJABL_DUL      RBL: NJABL: dialup sender did non-local SMTP
>                             [204.210.183.22 listed in combined.njabl.org]
>
>
>
> Content-Description: original message before SpamAssassin
> Date: Wed, 13 Apr 2005 03:25:00 -0300
> From: "Capital One Representative:  Kristina Barker " <Kristina.Barker () capitalone com>
> To: 2bslashdot () barillari org
> Subject: Error: Your Capital One Account Tue, 12 Apr 2005 22:25:00 -0800
> X-Spam-Score: 10.407
> X-Spam-Flag: YES
> X-Spam-Level: ********** (10.407)
>
> Capital One is committed to maintaining a safe environment for its 
> community of buyers and sellers. To protect the security of your account, 
> Capital One Bank employs some of the most advanced security systems in the world 
> and our anti-fraud teams regularly screen the Capital One Bank system for 
> unusual activity.
>
> We recently have determined that different computers have logged onto your 
> Capital One Banking account, and multiple password failures were present before the 
> logons. We now need you to re-confirm your account information to us. If this is 
> not completed by April 14, 2006, we will be forced to suspend your account 
> indefinitely, as it may have been used for fraudulent purposes. We thank you for 
> your cooperation in this manner. 
>
> In order to confirm your Online Bank records, we may require some specific
> information from you.
>
>  
> Click below to verify your account 
>  
> http://www.capitalone.com/redirect.html?linkid=SECURITY+VALIDATION&dest=http://24.232.117.142/bin/capitalone.com/
>
>
> Thank you for your prompt attention to this matter. Please understand that this is 
> a security measure meant to help protect you and your account. 
>
> We apologize for any inconvenience.
>
> If you choose to ignore our request, you leave us no choice but to temporaly suspend
> your account.
>
> Thank you for using Capital One Bank!
>
>
>
>
> ----- End forwarded message -----

----- End forwarded message -----