For the second time in three months, data thieves have exploited a flaw in SunTrust Banks Inc.’s Internet system.
The Atlanta company confirmed Wednesday that a fake Web page had been built that appeared to be within the SunTrust Web site with the aim of tricking customers into revealing personal data.
This is a variant of the traditional phishing data-theft scam, in which e-mail messages lure customers to counterfeit bank Web sites.
These sites are almost always hosted externally, often in foreign countries. Phishers have rarely been able to plant phony sites that appeared to be within an actual bank site, but it has happened to SunTrust at least once before.
“We are aware of this particular issue and already working to address it as quickly as possible,” said Hugh Suhr, a spokesman. “It was eliminated as of Tuesday.”
In this instance the criminals took advantage of a Java coding flaw to insert their own code into a SunTrust Web page, Mr. Suhr said. He would not comment further.
Having the bogus page appear under the SunTrust umbrella would probably increase the chances of fooling customers.
In October phishers noticed that the investor relations page on the SunTrust site used information from an external Web site, and listed the name of the outside vendor’s site in the browser’s address bar. By tweaking the system so that it used a different site name, criminals were able to redirect visitors to a bogus page.
According to TowerGroup Inc., a Needham, Mass., unit of MasterCard International, banks’ 2004 losses to phishing will be $137.1 million. However, many analysts have stressed that phishers are patient and collecting far more account numbers than they intend to use immediately. That means it may be several months or even years before a true assessment of the impact of current scams can be made.
