Toolbar community reports Internet Explorer address bar spoofing vulnerabilities actively exploited
16th January, 2005
The image above illustrates a live phishing site in action. In this case, the
content looks genuine, as the URL appears to belong to the PayPal web
site, https://www.paypal.com/cgi-bin/webscr?cmd=_login-run, but the
content is really being served from a phishing site at http://quith.info/paypal/index.html.
The only clue that something is wrong is that the browser is not displaying the padlock
in the bottom right hand corner, indicating that this is not really a secure
web page. A bug in the script also causes the popup window to remain visible
even when the browser is minimized.
However, the Toolbar reveals the true location of the web site, which is hosted in Poland. People using the toolbar are then able to report the site, and thereby block access to the page for other less alert people using the Toolbar.
Similar attacks against institutions including PayPal, eBay, TCF Bank, Regions, GarantiBank and LloydsTSB, have been reported and blocked by the Toolbar community in the last few days. In all cases, nearly-identical scripts have been used, suggesting either that the same fraudsters are responsible for all of the attacks, or perhaps simply that fraudsters are copying ideas from each other.
This can affect all versions of Internet Explorer on Windows XP although the popup window does not correctly obscure the real URL if Service Pack 2 is installed.
The Netcraft Toolbar is currently available for Internet Explorer, and automatically blocks access to known phishing sites whilst displaying the longevity, hosting location and country for each site you visit. The toolbar can be freely downloaded.