A new phishing trick...
Do you trust a bank that can be hacked like this?
http://www.itnews.com.au/newsstory.aspx?CIaNID=31268
Phishers hacked into three legitimate Florida bank sites, being Capital City Bank, Wakulla Bank and Premier Bank and then planted a script that redirected victims from the real banks' sites to a phishing site.
We've always advised users to type their Bank's URL into the address and never click on links. To this I have added always checking the status bar and addressbar (http://www.microsoft.com/windows/ie/community/columns/saferbrowsing.mspx) and using the IE phishing filter, and before that SpoofStick.
The banks says that they detected and resolved the issue "within an hour" but that is beside the point. I wonder how many customers were affected during that time... then, on top of that, there is the risk of malware, trojans and other hostile activities that may be hosted by the phishing sites.
High trust sites such as online banking sites simply *must* be as secure as they can be. On this occasions the systems were running IIS and so far I have found no information about whether a known vulnerability was used to hack into the servers, or something else.
People, be careful, always. Watch your status bar and watch your address bar (which, in IE7, are both always exposed unless consciously disabled by the user). Enable IE7's phishing filter or get the MSN Toolbar if you can't run IE7 which also includes a phishing filter. And practice safe hex:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx