OK, it has been a long time since I've posted a story on my blog. I write about computer security. Today's story talks about a couple of small local credit unions here in my town of Topeka. Educational Employees Credit Union and Kansas Super Chief Credit Union sites had what is called a code injection attack on their websites. The site that their customers were re-directed to was hxxp://ytgw123.cn (Don't go to this site. It will attack you PC with exploits.) The attack happened somewhere around September 26th, 2008.
So how did this attack happen? First, the web sites were not coded securely which allowed the criminal attacker to inject this code into the online banking sites for these two credit unions. The attacker didn't actually access the credit union's customer accounts. However, if any of their customers innocently went to either credit union's website, they were re-directed to this malicious site. If not properly patched, these customers probably now have malicious code installed on their PC that could be a password stealer, keylogger, and is now a robot which means someone with bad intentions now controls your PC.
I've been told that the problem has been corrected but I have my doubts. Since I have an account at Educational Employees Credit Union, I will be watching this closely. The problem I see is that this was not reported and customers of EECU and KSCCU have spyware or malware installed on their PC and may not realize it.
Hopefully the company that is contracted to create and maintain these credit union's websites has found the actual vulnerability in their own code and closed this hole. From my experience in computer security, code developers are trained to write code quickly to add to a companies bottom line. They are not trained to code securely. I believe that this situation is so common and customers of these smaller banks and credit unions who have to contract with companies who develop and write code are putting the customers of these institutions in danger of criminal hackers stealing login credentials for their banks and credit union's accounts. I will be watching my credit union. Maybe you should too!