Spoof email scams get big boost from Microsoft bug. 2004 could be the best year yet for Email Scammers. The seriousness and danger
of Email Scams is being vastly under reported and the dangers are down to a known
vulnerability which affects the world's most popular web browser and email program.
The danger is a major feather in the cap of Email Scammers
and Fraudsters. The bug was reported on a number of security sites last month,
but was covered in detail on the www.MillerSmiles.co.uk Email Scam web site for
some time before that. �We have seen an increase in the number of Email Scams
utilising this vulnerability since the reports in early December. This is a big,
BIG worry for internet users across the globe. The situation will only get worse
as the word spreads.� says Matthew Bright (Editor at MillerSmiles.co.uk).
The vulnerability which affects Internet Explorer allows spoofing of the URL
shown in the browser's address bar. This enables a scammer to construct a link
to a forged web page, which would open that page with any URL they want shown
in the address bar. A test link has been set up on the www.MillerSmiles.co.uk
site which shows up this vulnerability in a browser (see URL Spoofing Test).
Microsoft's Outlook and Outlook Express are also affected � in their case the
URL will be incorrectly displayed in the status bar when hovering over the link,
what was once a quick check to see where you'd go by using a link is now unreliable.
The MillerSmiles.co.uk site houses what must be the biggest collection of snapshots
of email and web site scams on the internet. The growing archive includes images
of emails and web pages purporting to be from banks (including Citibank, Barclays,
Nat West, Halifax and Nationwide), eBay, Paypal, AOL, Yahoo, Earthlink and MSN
or Hotmail.
A staggering 63% of links put through MillerSmiles.co.uk's Link Checker this
last week were found to contain an exploit of this flaw. �This is a worrying
number, and if that high a percentage of our site users are reporting this now,
what is happening to all the other email and internet users who don't think to
look carefully at emails for signs of spoofing.�
�Awareness is a key issue, users who do not know of the ease with which you can
forge an email and web page will be the first to fall prey to these scams. When
they are presented with an email that contains all the genuine graphics you see
in the real site, a senders address which matches the genuine site, and links
which descriptively match the genuine site, it lessens the urge to ascertain
who the sender really is. There is nothing in what you can see before you in
your inbox that will tell you that it is a scam, except for the odd spelling
or grammar mistake.�
Whilst many spoof emails are recognisable by the presence of spelling and grammatical
errors, Email Headers are a better way to verify an email's authenticity, but
until the main Email programs (like Outlook) show or validate the important parts
of the headers without having to dig into the code, internet users who can readily
recognise a spoof will remain a minority. A header is normally composed of several
lines of what appears to be code and includes references to domains, IP addresses
and software, so can cause confusion in the less technically minded. However,
while email headers can be forged to a great extent, it is not easy to spoof
the last server that the message passed through, and it is this component of
the email header which can give the game away if it does not match that of the
genuine site's mail server. The other problem is how many internet users will
really want to find out the real site's mail server address, let alone know how
to do it?
Microsoft have yet to release a patch for this vulnerability, but, some of the
latest Antivirus programs can pick up these dangerous links that utilise the
browser bug, but not everyone has the means to buy new Antivirus software each
year, and its less of a consideration when the older programs still work.
Shortcomings in the design and proper function of our most liked email and browsing
software is leaving us open to losing out to fraud scams without knowing it.
Web site bugs can also offer a helping hand to fraudsters though; in August 2003
we found that an eBay user was openly demonstrating how he could harvest eBay
users' email addresses if they visited his �About Me' page while they were signed
into the eBay site. The JavaScript code that he used enabled him to grab the
users' email addresses and send them an email. When you consider that you can
include your own JavaScript code in an Auction Listing, an eBay Shop description
and an About Me page, you may realise the potential for that kind of vulnerability.�
�We can only hope that software producers and web site developers give a greater
focus on protecting their innocent users this coming year. At the moment, it's
a scammer's paradise with rich pickings.�
Mat Bright
|
