Internet Explorer Cross Frame Scripting Bypass Bug
28th February 2004

return to home page

A bug in Internet Explorer brings more Phishing Scam woes...

iDefense.com publicly announced the bug yesterday, which will allow phishing scam artists to capture key strokes as users enter information into log in and form pages of genuine sites while using Internet Explorer browsers (v5.01, 5.5 and 6).

The bug allows this to happen by using javascript to display the genuine site page within another domain using a frameset. By framing the genuine page in one main window of another site's page, the visitor sees the genuine page.

Framesets are commonly used in the design of web pages, they allow you to have more than one page displayed as if they were one page, above each other or beside each other such as the top banner being one, the side bar being another and the page content being another. Learn more here.

Microsoft have yet to issue a patch but the bug will only work if active scripting is enabled. We've set up a Cross Frame Scripting Bug Example, but have only coded the page to display the key strokes in the status bar (further scripting could allow fraudsters to receive the keystrokes by email).

Microsoft are so far placing emphasis on ensuring that internet users should verify the identity of the page they are visiting before interacting with it in any way. Normally, a visitor will see the true URL in the address bar. However...

Dangers...

Whilst it is true that the address bar will reveal the location of the web page that you are visiting, it is possible to close the address bar completely using a script within a web page or link code.

Some phishing scams deploy the use of domain names that are crafted to appear to be part of, or directly related, to the site in question or the action being required by the spoof email message. Instances have included 'ebay-update.com' which is in no way related to, or part of, eBay Inc.

If your Internet Explorer browser does not have the latest security patch installed (use windows update to check), then any link to that page that is coded to exploit the URL Spoofing (URL Canonicalization) vulnerability will allow show the page with a forged URL. This means that the key strokes could be captured from a genuine page served up with a genuine URL while you are at a completely different domain.

Avoid becoming a victim...

Enable Active Scripting for Trusted Sites only and disable it for the Internet Zone. This bug can not then be exploited when visiting any site that is not in your Trusted Sites Zone. You will still see the genuine page from within the other domain, but your key strokes can not be captured as before. Go to Internet Options then select the Security Tab to add sites to the Trusted Zone and select the ' Custom Level' button and scroll down to alter settings for Active Scripting for each zone.

Confirm the identity of the page that you are visiting - if the address bar is absent, then right click on a blank area and select 'Properties' to view the URL of the page. If right click is disabled, then assume the worst and just close the browser window.

Be certain that the URL that you do see in the address bar is not some domain name formulated to appear genuine or related to the genuine site. As stated above, update-ebay.com is in no way associated with ebay.com

 

Addionally...

Treat all email with suspicion - What you see in the email body can be forged, the sender's address or return address can be forged and the email header can also be manipulated to disguise its true origin

Never use a link in an email to get to any web page. If you must go there, type the URL directly into your browser's address bar

Never send personal or financial information to any one via email

Always use a secure sign in page whenever there is one available, and check for the gold coloured padlock icon in the bottom of the browser frame. You can double check the validity of the secure sign in page by viewing the certificate details (double click the padlock icon). Ensure that the certificate is issued to the site that your are viewing.

Regularly log into your online accounts - don't leave it for as long as a month before you check each account

Scrutinise your bank, credit and debit card satements and ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers

Ensure that all of your software is up to date - for instance, if you use Microsoft's Windows, run Windows Update every day when you first connect to the internet and before surfing the internet or checking email. If you use other operating systems or browsers then check daily for patches or updates. Security loop holes are regularly discovered in software and many of these scams have utilised a bug or vulnerability in Internet Explorer.

Update your Antivirus and Firewall programs every day and when you first connect to the internet and before surfing the internet or checking email. This will keep your virus definition and firewall files up to date. Enable any auto update feature of your antivirus and firewall programs to ensure that you stay updated while surfing.

If you must use your financial information online, ensure that you have adequate insurance against fraud

Be good, be careful and most of all ..... be aware.

Advice to web masters...

Prevent your content from being framed or used in framesets and prevent this bug being exploited using your pages. The following code used at the very top of your page code will work well ...

<script>if(frames){if(top.frames.length>0)top.location.href=self.location;}</script>

More on Phishing ...

Brief guide to Phishing

Read the full article - Phishing, Identity Theft and Email Scams.

See many image snapshots of the spoof emails and web pages or sites used in real Phishing scams in our Archive of Email Scams.

If you have received a forged email, then please use the report a scam form to be examined and we will publish it if it reveals new information about these scams.