The latest Internet Explorer security holes offer new ways for phishing scams to present realistic spoofs of financial web sites. One of the flaws allow fraudsters to display the URL of a trusted site in Internet Explorer’s address bar, while presenting content from a different web page in the browser window. Another vulnerability could allow sophisticated attackers to create spoofed pages displaying the golden “lock” icon indicating a secure SSL session, which has often been cited as a differentiator between legitimate sites and scams.
The new spoofing techniques are described in Microsoft security update MS04-038, one of 10 patches released Tuesday to address security problems in Microsoft Windows, Excel and Internet Explorer.
One approach allows a plugin, such as an Active X control, to instruct the browser to display a false URL in the address bar. This could allow phishers to create spoofed pages that resemble a financial institution’s login page. and include an Active X control that tricks the browser into displaying the URL of the target site. A visitor with an unpatched browser arriving via an e-mail link would find a site that appears genuine.
Users who have downloaded Windows XP Service Pack 2 are protected, but other users of Internet Explorer 5.5 and 6 need to install the patch to be protected. A separate but similar address bar spoofing flaw exists only in computers using double-byte character sets, usually found in Asian versions of Windows, and is also addressed in the MS04-038 patch.
The SSL flaw, discovered by Mitja Kolsek from ACROS Security, exploits a weakness in the Internet Explorer cache, which stores web pages on a computer's hard drive. The exploit, described in an analysis by ACROS, requires a combination of advanced techniques to succeed, including a "man in the middle" strategy to redirect a user via bogus DNS requests. While most phishing scams settle for less ambitious approaches, the SSL spoofing flaw could add an air legitimacy to scams mounted by sophisticated attackers.
Netcraft has developed a service to help banks and other financial organizations identify sites which may be trying to construct frauds, identity theft and phishing attacks by pretending to be the bank, or are implying that the site has a relationship with the bank when in fact there is none.