March 16th , 2004
Please let us know if you use a Press Release
Browser Address Bar Spoofing - a new tool in a Phisher's box of tricks.
The second find of a bogus web page involving a spoofed Address Bar makes its appearance within 24 hours of the first, suggesting a new trend in fooling the innocent...
Since Microsoft plugged the vulnerability in Internet Explorer browsers which allowed URL spoofing, fraudsters have found another method of spoofing that shows a genuine URL with a bogus web page.
Address bar spoofing involves the removal of the browser address bar and replacing it with images and text which look exactly like the genuine thing (including the Internet Explorer 'Go' button). Two reports of this worrying new means of fooling internet users have come to MillerSmiles.co.uk in the last 24 hours.
The first report, which involved a bogus eBay web page (see http://www.millersmiles.co.uk/identitytheft/031504-ebay-2.php), had a spoofed address bar which showed the URL as a genuine secure URL for part of the ebay.com web site. The actual url of the web page was of-course something completely different and related to a site which has nothing to do with eBay. The user was further presented with a bogus web form to supply personal, financial and account information which would have been sent to fraudsters using a form to mail script.
The second instance occurred in less than 24 hours from the first and users were this time faced with a bogus Paypal page with the spoofed address bar again displaying a genuine https URL for part of the paypal.com web site, see http://www.millersmiles.co.uk/identitytheft/031604-paypal-1.php for more on this phishing scam.
Address bar spoofing is aimed at users with Internet Explorer browsers, which accounts for the vast majority of internet users around the world. Many sites report over 90% of visitors use Internet Explorer.
The extended concern here is that this kind of spoofing can be delivered from any web content, and does not rely on the Spoofed Email for its proper execution since all the relevant code resides within the bogus content itself. For instance, linking to this kind of spoofing from an auction site, which permits external links and scripts in auction listings, could result in many more victims.
MillerSmiles.co.uk is a site dedicated to publishing daily doses of spoof email and phishing scams that are propogating the net and targeting various users of major sites.
"We are seeing the first outings of a new form of web page spoofing that could well fool many internet users with very convincing content. Our hope is that by bringing these scams to the attention of internet users on a daily basis, we may build awareness sufficiently to seriously reduce the number of victims netted in these scams." Mat Bright, Editor at MillerSmiles.co.uk goes on to emphasis, "Our best advice is to spread the word and help build awareness as far as you possibly can, and to strictly follow our recommendations on how to avoid becoming a victim."
Is there a cure? Since these spoofed web pages just use commonly available scripting and coding, this doesn't really qualify as a software or browser bug, so the idea of a cure is wasteful. Disabling scripting and Active X controls will prevent the display of the spoofed address bar or page, but most users get frustrated with repeated alert boxes if their settings show prompts to allow or disallow such coding, and disabling these would prevent many web pages form even displaying in a browser window full stop.
MillerSmiles.co.uk operates a daily news feed which summarises each report of spoof email and phishing scams as they are published on their site which already houses hundreds of examples sent in to them. Their news feed can be used on other web sites using their script builder and can be accessed in news readers and aggregators, see http://www.millersmiles.co.uk/identitytheft/scam_alert_rss_feed.php for more.
Avoid becoming a victim of a Phishing Scam by following these simple rules ...
Oxford Information Services Ltd. All Rights Reserved.
All other logos and trademarks in this site are property of their respective owners