No Microsoft Patch yet for Explorer url hiding

More than a month after it became widely publicized, a bug in Internet Explorer that allows fraudsters to obscure the true location of urls remains unpatched. A fix for the security gap, which is now being routinely used by phishing scams, was not among the new security updates published Tuesday by Microsoft.

Continue reading

Fraudsters use encoded urls to target Barclays accounts

Customers of Barclays Bank have received electronic mails that use url encoding and a widely publicised bug in Internet Explorer to obscure the name of the taregt fraud site. The use of url encoding seems to be an innovation for this type of mail, albeit a predictable one.

Viewing the source code of the e-mail link will usually reveal the hoax, showing the target URL is unrelated to the bank. In this case, the e-mail link is encoded with hexadecimal numbers, with each encoded character beginning with “%”. Thus, the source code looks like:

http://ibank.barclays.co.uk%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01
%01%01%01%01%01%01%01%01%01%01@%77%77%77%2E%6E%65%77%79%65%72
%73%6D%2E%63%6F%6D:%38%30/%31%2C%2C%6C%6F%67%6F%6E%2C%30%30%2E
%70%68%70
The ‘%01’ characters exploit a bug in Microsoft’s Internet Explorer web browser which obscures the appearence of the url. The enocded characters makes it tricky for recipients to spot the “@” sign and “://” that give away the concealed URL of the target web page. The real URL is
http://www.newyersm.com:80/1,,logon,00.php
which no longer resolves, but previously was in a netblock owned by Affinity Internet, Inc.

Continue reading

Jump in Phishing Attacks in December

“Phishing” attacks surged dramatically in the runup to Christmas, with more than 60 million fraudulent email messages sent out over two weeks in mid December, according to data from an industry group.

The Anti-Phishing Working Group identified more than 90 unique email fraud and phishing attacks in November and December, as scammers sought to capitalize on the increased online shopping activity during the holiday season. Numerous campaigns employed a widely publicised bug in Internet Explorer that allows fraudsters to construct more convincing urls.

Continue reading

CAIDA: Data Confirms DDoS at SCO

A data-based analysis of SCO’s web site by the Cooperative Association for Internet Data Analysis (CAIDA) has found that this week’s outage was related to a distributed denial of service attack (DDoS). Data collected by CAIDA’s Network Telescope indicates that the sco.com site responded to more than 700 million attack packets over 32 hours, according to the analysis.

“Early in the attack, unknown perpetrators targeted SCO’s web servers with a SYN flood of approximately 34,000 packets per second,” CAIDA said. “Together www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packets-per-second early Thursday morning.”

SCO’s statement attributing its outage to a DDoS attack had been widely questioned following a critique of the SCO press release at the Groklaw web site. CAIDA has previously used its technology to document Internet traffic events including the Code Red and Slammer worms.

SCO web site downtime

A dynamically updating graph is available here.

IE Flaw Allows Spoofed URLs

A newly publicized bug in Internet Explorer shows that it is possible to craft html which causes Internet Explorer to display an incorrect URL in its address and status bars, making it easier for Internet fraudsters to trick web users into divulging critically important information such as their bank account details, while apparently interacting with a completely authentic URL.

The technique, which can be exploited by anyone with a rudimentary knowledge of HTML tags, is being demonstrated on several web sites. URLs with an ‘@’ such as

http://www.visa.com:UserSession=2f6q9uuu88312264trzzz55884495&
usersoption=SecurityUpdate&StateLevel=GetFrom@61.252.126.191/verified_by_visa.html
[the text to the left of the @ in a url is taken to be a user account on the sitename which follows] are commonly used by fraudsters launching electronic mail fraud attacks on customers of banks and credit card companies.

In the example Explorer serves a page from the local server, while displaying the url as www.microsoft.com.

Microsoft’s immediate response is to recommend that people only enter sensitive information on SSL sites, after checking the certificate details.

Mozilla [both Windows and Linux versions] displays the url correctly.