More than a month after it became widely publicized, a bug in Internet Explorer that allows fraudsters to obscure the true location of urls remains unpatched. A fix for the security gap, which is now being routinely used by phishing scams, was not among the new security updates published Tuesday by Microsoft.
The bug in the web browser trick Internet Explorer into display an incorrect URL in its address and status bars when the “%01” character is included in a web link. The security gap makes it easier for Internet fraudsters to trick web users into divulging bank account details, and has been used in several recent Phishing scams, including ones targeting Barclays and Citibank.
Microsoft said a patch addressing the spoofing flaw won’t be released until it is “well-engineered and thoroughly tested.” In the meantime, a page on its web site identifies ways IE users can protect themselves, which includes a snipet of Javscript code that can be entered in the address bar to validate a URL.
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.