News

Internet Explorer Open to Phishing Attack

After evaluating a publicly reported phishing method that affects Internet Explorer among other browsers, Microsoft published a security advisory this week to let users know that it will not issue a security update to close off the attack vector.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory reads in a FAQ question called, "Will Microsoft issue a security update to address this threat?" (The short answer to the FAQ question is "No.")

The problem arises from having multiple, overlapping windows, some of which are not identified by source. Phishing scammers could use the behavior to redirect a user to a trusted site. Simultaneously, the phishing site would open its own, unidentified browser window as a dialog box on top of the trusted site's window, positioning the dialog box so that the legitimate URL remains visible.

For example, let's say the scammer wants to pull the typical bank phishing scam, where the phishing site operator spams millions of users with a faked message from a legitimate bank. The message directs customers to update their personal financial information at a Web site. The phisher's hope is that a few of the bank's customers will fall for the fake message, visit the phishing site and enter their personal information.

Users have become more sophisticated about checking that URLs correspond to the institution to which they are supposedly sending their updates. The new phishing technique gets around that problem for the phishing organization. In the example, the user would see the URL of the trusted bank. However, the phishing organization would have simultaneously opened another window with no URL and positioned it on top of the bank's Web page, obscuring parts of it and offering fields for the customer to enter information. That information would be sent to the phishing organization.

In justifying a decision not to change the behavior of Internet Explorer, Microsoft pointed to its current guidance on avoiding spoofing and phishing attacks. "If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," the company's advisory reads.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Motherboard Image

    Darktrace Deal To Bring AI Security to Microsoft Products

    Microsoft and security solutions firm Darktrace plan to integrate the latter's AI products with Microsoft Azure, Azure Sentinel and Microsoft Defender for Endpoint.

  • 2021 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft Updates Azure Icon, Plans Default Font Change

    Microsoft recently announced a few planned design changes, including a new Azure icon.

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.