Toolbar community reports Internet Explorer address bar spoofing vulnerabilities actively exploited

A number of recent phishing sites blocked by the Netcraft Toolbar community have had a common technique of using JavaScript to create a narrow popup window, which is then placed on top of the Address bar. A fake URL is entered into the popup, using the same default font as the real address bar. The script continually checks the location of the browser window and moves the popup accordingly, ensuring that it is always placed on top of the Address bar, thus obscuring the real URL of the phishing site.

The image above illustrates a live phishing site in action. In this case, the content looks genuine, as the URL appears to belong to the PayPal web site, https://www.paypal.com/cgi-bin/webscr?cmd=_login-run, but the content is really being served from a phishing site at http://quith.info/paypal/index.html. The only clue that something is wrong is that the browser is not displaying the padlock in the bottom right hand corner, indicating that this is not really a secure web page. A bug in the script also causes the popup window to remain visible even when the browser is minimized.

However, the Toolbar reveals the true location of the web site, which is hosted in Poland. People using the toolbar are then able to report the site, and thereby block access to the page for other less alert people using the Toolbar.

Similar attacks against institutions including PayPal, eBay, TCF Bank, Regions, GarantiBank and LloydsTSB, have been reported and blocked by the Toolbar community in the last few days. In all cases, nearly-identical scripts have been used, suggesting either that the same fraudsters are responsible for all of the attacks, or perhaps simply that fraudsters are copying ideas from each other.

This can affect all versions of Internet Explorer on Windows XP although the popup window does not correctly obscure the real URL if Service Pack 2 is installed.

The Netcraft Toolbar is currently available for Internet Explorer, and automatically blocks access to known phishing sites whilst displaying the longevity, hosting location and country for each site you visit. The toolbar can be freely downloaded.