dslreports logo
 story category
Danger - Phishing ahead
See for yourself

This low key mention of a new explorer flaw has serious implications. If you are a Windows MSIE user, see how easy it is to be fooled, just pretend the following page is an official looking pop-up, email, forum posting, or any link at all: demo page. Did it trick for you, no matter how tight your browser and firewall sercurity was set? More info on Phishing .. see this page at the FTC).

The implications are serious, (or joyous, for the phishers), already adept at setting up look-alike pages, they may now disguise the full location as well. Before now, the location field was a key giveaway. It may also be possible to fake the user into an https (secure) site, one that offers the re-assurance of the padlock symbol.

Solution? 1. Wait for the microsoft patch. 2. Switch to firebird, mozilla, or Opera (ask the nearest trustworthy 13 year old to help you if you're concerned about how difficult it is) 3. Use a Macintosh. 4. Never enter sensitive data into a form on a site unless you are 100% sure the site is not just a cardboard front. Visit e-commerce sites from bookmarks, be wary of "offers" or "requests" originating from emails, spam, pop-ups, or anything else. And once there, Right button .. view .. properties, to verify the domain name is correctly displayed, or turn on and eyeball the MSIE Status Bar. (View .. Status Bar).

Update: In the follow-up remarks, this BBR member demonstrated how it will also work with https URLs as well - you look at a "paypal" link - you go to "paypal" - it shows the "padlock" - and the right Address as well - but it is not paypal!

Update: AOL 8.0 browser does the right thing, as one would expect as their browser is closely related to Mozilla.

The regulars in our Security forum helped with this demo.
view:
topics flat nest 
page: 1 · 2 · 3 · next

tmccann11
Who, Me?
Premium Member
join:2001-06-10
Parsippany, NJ

1 edit

tmccann11

Premium Member

Got Me Good

Damn, I just might have fallen for that considering the fact that I get tons of mail from like best buy and staples.

F$%$%$ng Microsoft.

Tom

FP

EGeezer
Premium Member
join:2002-08-04
Midwest

EGeezer

Premium Member

IE vulnerability - Now more than ever ...

That's another good reason to be sure you type no sensitive information on any web page that does not have the secured lock and a valid security certificate.

Too many "legitimate" sites have the input fields on a page without the lock and cert, then redirect to https only after the user has entered sensitive data and pressed enter to send it. Too many more have certs that don't match the sites or are expired.

EG

TechyDad
Premium Member
join:2001-07-13
USA

TechyDad

Premium Member

Re: IE vulnerability - Now more than ever ...

said by EGeezer:
That's another good reason to be sure you type no sensitive information on any web page that does not have the secured lock and a valid security certificate.
This will work with an SSL secured site as well. See this post: »Don't trust the Lock icon either!

All the hacker would do is buy an SSL cert for his site (from Verisign, GeoTrust, etc) and then set up one of these links. The lock icon would show and the cert would appear to be valid in that no warnings would pop up. If you checked the cert, you'd see it is for a different site than the one that you appeared to be on, but how many people do this for every secure site they go to?

XuhQshinR
join:2001-09-18
Bradenton, FL

XuhQshinR to tmccann11

Member

to tmccann11

Re: Got Me Good

Very tricky! One possible way to tell is to go to FILE: and PROPERTIES and it will tell you the real deal is: »www.symantec.com@i.d ··· dex.html

But of coarse we don't all do that at every site we browse too.

Always someone finding a way to show MS's weakness. It's not that difficult is it?

Thanks for the heads up!

netwire
Premium Member
join:2001-04-27
Dallas, NC

netwire to tmccann11

Premium Member

to tmccann11
Thank God for Mozilla.... hehe

Googled
Yay, I have FIOS
join:2001-08-13
Orchard Park, NY

Googled to tmccann11

Member

to tmccann11

Internet Explorer 6
Click for full size
Firebird
Didn't work on mine. I'm not sure why either. Is it because I have Java set to run in "High Safety" mode?

This topic drove me to venture into the security settings for IE6. I noticed that two items have been added since I last looked. They are settings for running .NET framework components. Both were set to "Enable", by default I assume. You all might want to check your settings. I changed mine to "Prompt"

AthlGrond
Premium Member
join:2002-04-25
Aurora, CO

AthlGrond

Premium Member

Re: Got Me Good

Although .net is managed code (similar to java from a security standpoint, for the lack of a better analogy) I agree that you should want to be prompted to execute .net code on your computer.

If you regularly needed a .net program to run you would either want to change the site's security settings or turn off prompting. (but currently the internet isn't awash with .net content, so prompting makes the most sense.)

Googled
Yay, I have FIOS
join:2001-08-13
Orchard Park, NY

Googled

Member

Okay I figured out it was because I copied and pasted the link into IE. I tried it the way I was supposed to by clicking on the link and the address did change to
http://www.symantec.com

I had seen this before, but I thought they used a bunch of javascript to do it.

What would happen if you changed the url to something like file://foobar.htm or perhaps
http://localhost
Would that make the page execute in a different zone?

I have just tested it and it doesn't appear to work on an
http://localhost
The address changes, but IE stays in the Internet zone.

I couldn't get it to work on file:// either, but I couldn't quite get file:// to work correctly, when I made my phished URL the browser kept looking for a server share on the network rather than trying to find the file on the C: drive. Could someone else try this and see if they can get it to work?

user3657
join:2000-04-27
Trenton, NJ

user3657 to tmccann11

Member

to tmccann11
this has been around for years...why is it just being noticed now?

Zertoss
Just Say No To Caps Lock
join:2001-08-01
Clute, TX

Zertoss

Member

Re: Got Me Good

said by user3657:
this has been around for years...why is it just being noticed now?

That's what I would like to know.

Spiro0
join:2003-08-04
Austin, TX

Spiro0

Member

Re: Got Me Good

2 million lines of code is why... Sort of a Denial of Maintenance attack by the Microsoft developers on themselves.
HackManiac
join:2003-12-18
Australia

HackManiac

Member

Re: Denial of Maintenance attack

(Smile) I love it.
I would love to use an acronym like "DOM" Attack! in reference to MS during my Linux close.

Can I quote you in my seminars?

And maybe add it to my T-Shirt ad's.

Cheers

Andy

Spiro0
join:2003-08-04
Austin, TX

Spiro0

Member

Re: Denial of Maintenance attack

Sure! If I just coined a phrase, maybe I should put my name on it...

Stephen D

titoisme
join:2003-07-13
Brooklyn, NY

titoisme to tmccann11

Member

to tmccann11
Reason #215 why I don't even look at IE

rtcy
FACTS only please
Premium Member
join:1999-10-16
Norwalk, CA

rtcy to tmccann11

Premium Member

to tmccann11
always on mozilla,

Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY

2 edits

Transmaster to tmccann11

Member

to tmccann11
I just received this in one of My E-mail accounts. This has got to be one of the funniest things I have ever seen.
Talk about STUPID!!!!!. Who ever this is must not be able to type and chew gum at the same time. I do see what you mean by the site it looks real. The "real" address is
»citibridgetrack.com this address naturally does not work

Dear OnlineCitibank Cardholders,

This letter was ssent by the Citi-Bank server to veerify your e-mail
adress. You must cltoepme this prcoses by clicking on the link
below and enntering in the small window your Citbiank Debit
Card Nummber and card pin that you use on ATM Machine.
That is donne for your pctreotion -u- because some of our members no
lngoer have acsecs to their email adedsress and we must verify it.

To veerify your e-mail adderss and akcess your Citi-bank account, klick on
the link below. If ntohing hapepns when you clic on the link -6 copye
and paste the link into the address bar of your web broswer.

»www.citibank.com/?YjT2X9 ··· CYnylY8t

---------------------------------------------
Thank you for using Citi-Bank!
---------------------------------------------

This automatic email sent to: w7itc@msn.com
Do not reply to this email.

Xzibit
Wtf Mate?
Premium Member
join:2002-04-19
Santa Clara, CA

Xzibit

Premium Member

Oh damn...

Damn, got me

KyleC
Nikon Guy
Premium Member
join:2001-12-13
Dallas, TX

3 edits

KyleC

Premium Member

Holy Crap

I have gotten fake paypal sites like this, trying to get me in enter my info, i knew it was fake, cause paypal never sends email out requesting info.

tmccann11
Who, Me?
Premium Member
join:2001-06-10
Parsippany, NJ

tmccann11

Premium Member

Re: Holy Crap

But what if (insert favorite store here) emailed you stating that they were having a one day sale with 50% off any one item, and had an html page embedded in the email that looked legit enough. You follow it, and go through the whole process, and you think you placed an order....and gotcha.

I know the scenario may be unlikely for most of us, but there are alot of people that would fall for it in a heart beat, and could you really blame them?

JM2C

Tom

copperdoctor
Premium Member
join:2003-12-08
Palatine, IL

copperdoctor to KyleC

Premium Member

to KyleC
I just received 2 consecutive emails from "Paypal"in 2 days. Both had attachments(virus)and a redirect link. Fortunatly my Email was scanned before it was sent to my inbox, and the virus was removed, but Im sure a lot of other people arent so lucky. I reported both emails to spoof@paypal.com, which confirmed there is a rash of these emails being sent out lately. Be careful!

CenTex2
join:2003-04-16
Marlin, TX

CenTex2

Member

Oh bloody HELL!

Here we go again....

Headbanger
join:2001-12-28
Summerville, SC

Headbanger

Member

This is scary

I can see that people will fall for this and not ever know.

AVD
Respice, Adspice, Prospice
Premium Member
join:2003-02-06
Onion, NJ

AVD

Premium Member

dammm..

this is too scary....

btw. using and old version of OPERA, you get a popup warning, and the whole address shows on the address bar..

there is no excuse for microsoft to have the address display the way it does... by trying to make stuff easier, they make windows so insecure, that it is a public menace. I guess you can get away with sloppy code when you are a near-monopoly.
cmhbob
Did...Did I Do That?
Premium Member
join:2001-03-13
Fort Gibson, OK

cmhbob

Premium Member

One way to be more careful

In IE, make sure "Show friendly URLs" is not checked. Then just watch your status bar to see where you're really going.

wheelzoff
join:2001-02-14
Irving, TX

1 edit

wheelzoff

Member

Re: One way to be more careful

The status bar is my best friend.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Re: One way to be more careful

said by wheelzoff:
The status bar is my best friend.

How does your status bar look on

»i.dslr.net/symantec/worse2.html

then?

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Re: One way to be more careful

said by justin:
said by wheelzoff:
The status bar is my best friend.

How does your status bar look on

»i.dslr.net/symantec/worse2.html

then?
Status bar is hosed with bogus address, but the address bar shows the url you posted (as I'm sure you expected it to). Another way to detect the bogus link in either an email or on a site page is to right-click, choose "Copy Shortcut" and paste into the address bar - the entire address will appear as opposed to just the bogus portion. But as noted in all of this discussion: the targets for this kind of fraud are probably not going to do anything other than click the links. It will be interesting to see how long it takes to come up with a fix to this one and get it on the street.

I suppose the one advantage to using IE is that as each hole is found the word does get around pretty well - whereas if the same type problem(s) were in another less used browser, the discovered exploits might not get as much publicity. I think this attitude is called sour grapes? For me reality says that the company I work for will continue to use IE as their browser and Outlook as their email client. For the moment I simply put out the word not to trust ANY link sent to them or that they just "stumble upon" on some website they're unsure of, recommending they use the right-click/copy shortcut method to double-check them.

Thanks for writing up the story - as you said, the low key on this story might have left the exploit exploitable against me much longer!

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

Re: One way to be more careful

There is an onMouseOver that sets the status bar if javascript is enabled (as it is, on 99.9999% of the worlds MSIE browsers). Do you have javascript disabled for 'untrusted' sites or something? (i.dslr.net)?

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

Re: One way to be more careful

Scripting disabled on untrusted sites - security for those is set to High to match my paranoia of M$ products. Screen shot to show difference between address bar and status bar displays.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Re: One way to be more careful

said by 2kmaro:
Scripting disabled on untrusted sites - security for those is set to High to match my paranoia of M$ products. Screen shot to show difference between address bar and status bar displays.

that is the screenshot while you are still on dslr, what about when you are in "the symantec" site, that is the key.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to 2kmaro

Member

to 2kmaro
said by 2kmaro:
said by justin:
said by wheelzoff:
The status bar is my best friend.

How does your status bar look on

»i.dslr.net/symantec/worse2.html

then?
Status bar is hosed with bogus address, but the address bar shows the url you posted (as I'm sure you expected it to). Another way to detect the bogus link in either an email or on a site page is to right-click, choose "Copy Shortcut" and paste into the address bar - the entire address will appear as opposed to just the bogus portion. But as noted in all of this discussion: the targets for this kind of fraud are probably not going to do anything other than click the links. It will be interesting to see how long it takes to come up with a fix to this one and get it on the street.

I suppose the one advantage to using IE is that as each hole is found the word does get around pretty well - whereas if the same type problem(s) were in another less used browser, the discovered exploits might not get as much publicity. I think this attitude is called sour grapes? For me reality says that the company I work for will continue to use IE as their browser and Outlook as their email client. For the moment I simply put out the word not to trust ANY link sent to them or that they just "stumble upon" on some website they're unsure of, recommending they use the right-click/copy shortcut method to double-check them.

Thanks for writing up the story - as you said, the low key on this story might have left the exploit exploitable against me much longer!

well so far its going on about 5 years this is nothing new this trick is what some satire sites use to use to make their funny news stories look real
vic102482
Premium Member
join:2002-04-30
Upper Marlboro, MD

vic102482

Premium Member

Re: One way to be more careful

said by Nanaki:

well so far its going on about 5 years this is nothing new this trick is what some satire sites use to use to make their funny news stories look real

I think I know what you are talking about, but no, this is different, and far better. Like the CNN blowjob one, it had »funnysatire.cnn.whatever.com. The address looked bogus on site. This is what I remember although, I might be wrong.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin to Nanaki

Mod

to Nanaki
said by Nanaki:
well so far its going on about 5 years this is nothing new this trick is what some satire sites use to use to make their funny news stories look real

No, the difference is how it looks after you get there. That it (the address) looks indistinguishable, is the biggerr problem here, and just makes an existing scam (phishing) easier to do.

wheelzoff
join:2001-02-14
Irving, TX

wheelzoff to justin

Member

to justin
said by justin:
said by wheelzoff:
The status bar is my best friend.

How does your status bar look on

»i.dslr.net/symantec/worse2.html

then?

It still shows the bogus address.

Smokey
I'd rather be skiing
Premium Member
join:2003-05-20
Wild West

4 edits

Smokey

Premium Member

Re: One way to be more careful

Same for me. If your not looking, you wont catch it as it is very fast.

Synon29
join:2003-09-13
Cabot, AR

Synon29 to justin

Member

to justin
Well it seems to show up in my status bar, and if i right click the properties it shows the true url. The address bar is not your friend.

N10Cities
Premium Member
join:2002-05-07
0000000
Asus RT-AC87

1 edit

N10Cities to cmhbob

Premium Member

to cmhbob
said by cmhbob:
In IE, make sure "Show friendly URLs" is not checked. Then just watch your status bar to see where you're really going.


I have that feature disabled, but when I enter the site "http://i.dslr.net/symantec/worse2.html" and hover over any of the links, they show the bogus address in the status bar, so don't think that setting will work...
lalaas
join:2002-01-01
Oak Park, MI

lalaas

Member

Other phish being caught

I caught a phish like this pretending to be Comcast, and asking for all kinds of info, even down to PIN number & CVV # on the back of your credit card - bank phone #, etc. Really crafty, and I wonder how many people got scammed by them. I posted it here in the CC forum (IIRC) and notified comcast. Within an hour the site had disappeared.

FLea973
Premium Member
join:2001-02-27
Morristown, NJ

FLea973

Premium Member

1 way to spot it -

At least I saw a way to spot it on the demo site - hover over a link on the spoofed site and look at the status bar. It displays the full path of that link:
"http://www.symantec.com @www.dslreports.com/front/symantec/www.symantec.com/gotcha.html"

Unfortunately what is displayed in the status bar can also be controlled through Java scripts - so yet another reason to disable java.

•••••

statecop
Premium Member
join:2002-09-16
Heflin, AL

statecop

Premium Member

Not good!

This is bad!

reub2000
Premium Member
join:2001-12-28
Evanston, IL

reub2000

Premium Member

What's new about "@"?

Stuff like »realsite.com@fakesite.co ··· age.html has been done for a long time. What's new?

justin
..needs sleep
Mod
join:1999-05-28
2031

justin

Mod

Re: What's new about "@"?

What is new is what shows in the location bar AFTER you reach the "fake site".

Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium Member
join:2001-04-19
1970 442 W30

Doctor Olds

Premium Member

Safe here. :-)

Click for full size
Didn't fool my 2002 version of Netscape v4.8 at all. It's old, but was updated in 2002 so it's not that old.

Regards,

Doctor Olds

rahlquist
Redeye
join:2001-10-30
Villa Rica, GA

rahlquist

Member

Re: Safe here. :-)

said by Doctor Olds:
Didn't fool my 2002 version of Netscape v4.8 at all. It's old, but was updated in 2002 so it's not that old.

Didnt fool my 2 day old copy of Netcaptor either which is IE at the core.
SanJoseNerd
Premium Member
join:2002-07-24
San Jose, CA

1 edit

SanJoseNerd

Premium Member

Wow

After following the link to the Phish page, I went up to the IE address bar and typed in ht tp://www.symantec.com (extra space here so DSLR won't convert to a link) ... and it still went to the Phish page.

Once you're there, typing in the URL just to "double check" that you are where you think you are, doesn't work. Wow.

justin
..needs sleep
Mod
join:1999-05-28
2031
Billion BiPAC 7800N
Apple AirPort Extreme (2011)

justin

Mod

Re: Wow

said by SanJoseNerd:


Once you're there, typing in the URL just to "double check" that you are where you think you are, doesn't work. Wow.

You are right. It seems MSIE clings pretty hard to the cached copy of the fake page.. yuck..
nl4jy
join:2002-05-02
Brooklyn, NY

nl4jy

Member

Re: Wow

And that is even more dangerous as one may think, oh, I'll just manually type in the address (thinking he/she'll be safe)
The Way Out
join:2003-01-20

The Way Out

Member

Don't trust the Lock icon either!

Want to see something scary? Try this link:

https://www.paypal.com

It says PayPal in the URL, but it's not paypal! You'll notice that it still displays the "Lock" in the bottom right hand corner, too. Be afraid. :|

••••••••••••••••

MIABye
Premium Member
join:2001-10-28
united state

MIABye

Premium Member

Not So Fast

Click for full size
Just look at the status bar.

•••••••

Hayward0
K A R - 1 2 0 C
Premium Member
join:2000-07-13
Key West, FL

4 edits

Hayward0

Premium Member

Doesn't tihs all still just prove....

Don't just take what is AUTO-CRAMMED down your throat.

OK we sort of have to reluctantly accept WINDOZE.... but IE??? NO WAY

It bis nothing but a copy cat wannabe since day one, ONLY successful because M$ got away with making it a part of the OS before it was too late.

On the other hand the ROCK SOLID relatively speaking Mozilla/Firebird... has it roots all the way back to the pioneer Mosaic (1993) the first browser that lead to Netscape... then after battling Microshaft for years, was completely TRASHED by AoHell that acquired NS and then abandoned it (To BIG surprise still stick with Internet Exploder for AoHell)... but now still surviving as the open source Mozilla. (And again as its roots really started as, before someone thought to make money at it.) And by the way the guy who created the WWW/HTML beginnings has never made a PENNY from it... he just gave it to the world knowing that was the only way it would ever really happen. (And boy didn't it???!!!)

As open source many developers around the world are on Mozilla all the time (for the users good)... the FEW minor problems that have occurred have been taken care of in updates rather than the probably on monthly, but seemingly weekly PATCHES to IE... that seem to be trying to futilely try to turn endlessly hole fill IE Swiss Cheese into solid cheddar

insomniac84
join:2002-01-03
Schererville, IN

2 edits

insomniac84

Member

Damn microsoft

Are we going to have to wait a month to get this update now? They had better post a fix asap. Also unchecking show friendly URLs doesn't work because mine was not checked and it only shows www.symantec.com. God damn it, why is this not patched yet. You'd think since microsoft is the only idiots with their source code, they could make a patch it in a matter of an hour or so. There are always going to be exploits, but damn you'd think they'd have enough sense to patch them quick. Also as for the people who never run windows update, yet again another reason why they suck. Now we are going to here tons of people bitching about being scammed and try to blame microsoft even though they have never ran one update ever.

••••••

Jaime
Premium Member
join:2001-06-03
Huntington Beach, CA

1 edit

Jaime

Premium Member

Ok ok ok, I converted

Well, I finally broke. I have downloaded firebird and am liking it. I clicked on the link in IE than everything *looked* normal, now I see it as a bogus page. I really hope MS gets their stuff together before even more people start migrating to alternative browsers.

•••••••

rjackson

join:2002-04-02
Ringgold, GA
Netgear R6400
Switches Trash Bin
Apple AirPort Extreme (2011)

rjackson

Somebody say Phish?

Oh well.

I've never use Microsoft Internet Explorer for any extended period of time, mainly cause it is so devoid of useful features. But man, this is huuuuge. An exploit that doesn't depend even on basic scripting to be turned on. Sure am glad I don't have to worry with it.

lt_wentoncha
Red6
join:2002-05-12
000000

2 edits

lt_wentoncha

Member

AOL s'aight


Micysoft

Symanty
Click for full size
AOL 8.0 Browser catches somehow.

•••••••••••••••••••••
page: 1 · 2 · 3 · next