News

Internet Explorer Open to Phishing Attack

After evaluating a publicly reported phishing method that affects Internet Explorer among other browsers, Microsoft published a security advisory this week to let users know that it will not issue a security update to close off the attack vector.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory reads in a FAQ question called, "Will Microsoft issue a security update to address this threat?" (The short answer to the FAQ question is "No.")

The problem arises from having multiple, overlapping windows, some of which are not identified by source. Phishing scammers could use the behavior to redirect a user to a trusted site. Simultaneously, the phishing site would open its own, unidentified browser window as a dialog box on top of the trusted site's window, positioning the dialog box so that the legitimate URL remains visible.

For example, let's say the scammer wants to pull the typical bank phishing scam, where the phishing site operator spams millions of users with a faked message from a legitimate bank. The message directs customers to update their personal financial information at a Web site. The phisher's hope is that a few of the bank's customers will fall for the fake message, visit the phishing site and enter their personal information.

Users have become more sophisticated about checking that URLs correspond to the institution to which they are supposedly sending their updates. The new phishing technique gets around that problem for the phishing organization. In the example, the user would see the URL of the trusted bank. However, the phishing organization would have simultaneously opened another window with no URL and positioned it on top of the bank's Web page, obscuring parts of it and offering fields for the customer to enter information. That information would be sent to the phishing organization.

In justifying a decision not to change the behavior of Internet Explorer, Microsoft pointed to its current guidance on avoiding spoofing and phishing attacks. "If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," the company's advisory reads.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • MIT Finds Only 1 in 20 AI Investments Translate into ROI

    Despite pouring billions into generative AI technologies, 95 percent of businesses have yet to see any measurable return on investment.

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

Most   Popular