IE Flaw Allows Spoofed URLs
12th December, 2003
A newly publicized bug in Internet Explorer shows that it is possible to craft html which causes Internet Explorer to display an incorrect URL in its address and status bars, making it easier for Internet fraudsters to trick web users into divulging critically important information such as their bank account details, while apparently interacting with a completely authentic URL.
The technique, which can be exploited by anyone with a rudimentary knowledge of HTML tags, is being demonstrated on several web sites. URLs with an '@' such as
http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495& usersoption=SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.html[the text to the left of the @ in a url is taken to be a user account on the sitename which follows] are commonly used by fraudsters launching electronic mail fraud attacks on customers of banks and credit card companies.
In the example Explorer serves a page from the local server, while displaying the url as www.microsoft.com.
Microsoft's immediate response is to recommend that people only enter sensitive information on SSL sites, after checking the certificate details.
Mozilla [both Windows and Linux versions] displays the url correctly.
Posted by Rich Miller in Security
Related News
Outages Continue at SCO
15 Dec 2003
Performance, Security
The web site outages continue at SCO, which was unreachable for much of the weekend and is currently experiencing its fourth incident of extended downtime since it came under a distributed denial of service (DDoS) attack last Thursday. A dynamically...
View full post
CAIDA: Data Confirms DDoS at SCO
12 Dec 2003
Performance, Security
A data-based analysis of SCO's web site by the Cooperative Association for Internet Data Analysis (CAIDA) has found that this week's outage was related to a distributed denial of service attack (DDoS). Data collected by CAIDA's Network Telescope indicates...
View full post
DDoS takes SCO Site down
10 Dec 2003
Performance, Security
SCO said its web site has been knocked offline by a distributed denial of service attack (DDoS), and remains unavailable more than eight hours after the attack began. A dynamically updating graph is available here. The site has been down since 4:20 a.m....
View full post