Frameset hijacking website

Today I heard news about a fake website "company-registry.com/hkma/" spoofing itself as the website of the Hong Kong Monetary Authority (HKMA).  I accessed the URL and found that the website owner used frameset to load HKMA web content into a frame.  That says, the content is real, and it comes from the official website but framed and under other people domain.  The HTML source codes are really simple below (I purposely add an extra space in <  > ):

< html>
< head>
< meta http-equiv="Content-Type" content="text/html; charset=gb2312">
< title>香港金融管理局< /title>
< meta name="Keywords" content="香港金融管理局">
< meta name="description" content="香港金融管理局(金管局)由外汇基金管理局与银行业监理处合并而成。金管局的主要职能由《外汇基金条例》和《银行业条例》规定,并向财政司司长负责,金管局是香港政府架构中负责维持货币及银行体系稳定机构....">
< /head>
< frameset border=0 frameborder=0 frameSpacing=0 rows=4%,96%>
< frame marginHeight=5 marginWidth=10 name=mainsoft src="index_.htm" scrolling="no">
< frame src=" http://www.info.gov.hk/hkma/index.htm" >
< /html>

There are many javascripts that prevent a frame from loading web content. One that I have tested is below:
 < SCRIPT LANGUAGE="JavaScript">
if (window != top) top.location.href = location.href;

Good luck, HKMA !!!

No comments: