Internet Explorer Open to Phishing Attack

After evaluating a publicly reported phishing method that affects Internet Explorer among other browsers, Microsoft published a security advisory this week to let users know that it will not issue a security update to close off the attack vector.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory reads in a FAQ question called, "Will Microsoft issue a security update to address this threat?" (The short answer to the FAQ question is "No.")

The problem arises from having multiple, overlapping windows, some of which are not identified by source. Phishing scammers could use the behavior to redirect a user to a trusted site. Simultaneously, the phishing site would open its own, unidentified browser window as a dialog box on top of the trusted site's window, positioning the dialog box so that the legitimate URL remains visible.

For example, let's say the scammer wants to pull the typical bank phishing scam, where the phishing site operator spams millions of users with a faked message from a legitimate bank. The message directs customers to update their personal financial information at a Web site. The phisher's hope is that a few of the bank's customers will fall for the fake message, visit the phishing site and enter their personal information.

Users have become more sophisticated about checking that URLs correspond to the institution to which they are supposedly sending their updates. The new phishing technique gets around that problem for the phishing organization. In the example, the user would see the URL of the trusted bank. However, the phishing organization would have simultaneously opened another window with no URL and positioned it on top of the bank's Web page, obscuring parts of it and offering fields for the customer to enter information. That information would be sent to the phishing organization.

In justifying a decision not to change the behavior of Internet Explorer, Microsoft pointed to its current guidance on avoiding spoofing and phishing attacks. "If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," the company's advisory reads.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.