Barclays scam email exploits new IE flaw

net1

Con artists have begun using an address-hiding flaw to trick Barclays' online banking customers into revealing their personal detai

Customers of Barclays and other UK banks have been targeted by fraud emails that exploit a recently discovered vulnerability in Internet Explorer allowing attackers to disguise Web addresses, according to security experts.


The Barclays scam email appears to come from the bank, and directs customers to a site posing as Barclays' online banking Web site, ibank.barclays.co.uk. The scam site then asks people to enter their banking details. Other scam emails appearing during the weekend also used this technique, known as "phishing", along with the same IE bug. The organisations targeted include Citibank, Lloyds and PayPal.


Banking scam emails are nothing new, but the use of the IE flaw represents an innovation, according to Internet services firm Netcraft, which analysed the Barclays message.


"As part of our continuing commitment to protect your account and to reduce the instance of fraud on our Web site, we are undertaking a period review of our member accounts," the scam email reads. "You are requested to visit our site by following the link given below. This is required for us to continue to offer you a safe and risk free environment to send and receive money online, and maintain the Barclays IBank Experience."


The bank last week warned users not to reply to any such emails or follow links that they contain. "Barclays is in no way involved with this scam email and the Web site does not belong to us," the bank said in a security alert on its site. "Barclays does not send emails to customers requesting your security or any other confidential information."


The bank is requesting users to forward fraud emails to internetsecurity@barclays.co.uk.


The email uses a glitch discovered last month that allows a specially crafted URL to load a browser window that appears to be displaying any address the attacker wants.


For example, the source code of the Barclays fraud email contains the link:


http://ibank.barclays.co.uk%01%01%01...1%01%01%01%01%
01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 %01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%0 1%01
%01%01%01%01%01%01@%77%77%77%2E%6E%65%77%79%65%72% 73%6
D%2E%63%6F%6D:%38%30/%31%2C%2C%6C%6F%67%6F%6E%2C%30%30%
2E %70%68%70


In Internet Explorer, this is designed to display the address "ibank.barclays.co.uk" while actually directing users to a site, now offline, that was hosted by Affinity Internet. The characters such as "%01" encode the real address, which is "http://www.newyersm.com:80/1%2c%2clogon%2c00.php".

The flaw has the potential to undermine users' ability to determine what they should trust, eEye security research engineer Drew Copley said at the time of its discovery.


"If [the address is] appearing legitimate like that, you can get people to download anything, run anything, or get a password or whatever," he explained.