Its a common internet fraud crime and internet users are the target of Spoof email hoax scams and fake or forged web pages. Click to go to home page.
 

 

Press Release

March 16th , 2004
(edited 29th March 2004)

Please let us know if you use a Press Release

 

return to home page

return to press releases

  

Browser Address Bar Spoofing - a new tool in a Phisher's box of tricks.

 

The second find of a bogus web page involving a spoofed Address Bar makes its appearance within 24 hours of the first, suggesting a new trend in fooling the innocent...

Since Microsoft plugged the vulnerability in Internet Explorer browsers which allowed URL spoofing, fraudsters have found another method of spoofing that shows a genuine URL with a bogus web page.

Address bar spoofing involves the removal of the browser address bar and replacing it with images and text which look exactly like the genuine thing (including the Internet Explorer 'Go' button). Two reports of this worrying new means of fooling internet users have come to MillerSmiles.co.uk in the last 24 hours.

The first report, which involved a bogus eBay web page (see http://www.millersmiles.co.uk/identitytheft/031504-ebay-2.php), had a spoofed address bar which showed the URL as a genuine secure URL for part of the ebay.com web site. The actual url of the web page was of-course something completely different and related to a site which has nothing to do with eBay. The user was further presented with a bogus web form to supply personal, financial and account information which would have been sent to fraudsters using a form to mail script.

The second instance occurred in less than 24 hours from the first and users were this time faced with a bogus Paypal page with the spoofed address bar again displaying a genuine https URL for part of the paypal.com web site, see http://www.millersmiles.co.uk/identitytheft/031604-paypal-1.php for more on this phishing scam.

 

These pages were constructed in the following manner ...

1. a link in a spoofed email opens a new browser window which is scripted to immediately close itself and reopen with the address bar (and possibly the status bar) removed,

2. the new window contains a variable combination of HTA, HTML and javascript commands which construct a fake address bar using images and text (the text comprises a genuine URL).

 

There are three means of identifying this kind of bogus content though...

1. firstly, you will see a difference in the colour of parts of the address bar (namely the 'Go' button) if you use a different windows appearance setting other than Windows Classic (which displays windows in a light grey colour).

2. Secondly, where the status bar is visible, you will notice the absence of the yellow padlock symbol which denotes that you are indeed at a secure (https) page.

3. By using the File menu you can view the Properties of the web page and see that the URL does not match whatever is being displayed in the fake address bar.

 

Address bar spoofing is aimed at users with Internet Explorer browsers, which accounts for the vast majority of internet users around the world. Many sites report over 90% of visitors use Internet Explorer.

The extended concern here is that this kind of spoofing can be delivered from any web content, and does not rely on the Spoofed Email for its proper execution since all the relevant code resides within the bogus content itself. For instance, linking to this kind of spoofing from an auction site, which permits external links and scripts in auction listings, could result in many more victims.

MillerSmiles.co.uk is a site dedicated to publishing daily doses of spoof email and phishing scams that are propogating the net and targeting various users of major sites.

"We are seeing the first outings of a new form of web page spoofing that could well fool many internet users with very convincing content. Our hope is that by bringing these scams to the attention of internet users on a daily basis, we may build awareness sufficiently to seriously reduce the number of victims netted in these scams." Mat Bright, Editor at MillerSmiles.co.uk goes on to emphasis, "Our best advice is to spread the word and help build awareness as far as you possibly can, and to strictly follow our recommendations on how to avoid becoming a victim."

Is there a cure? Since these spoofed web pages just use commonly available scripting and coding, this doesn't really qualify as a software or browser bug, so the idea of a cure is wasteful. Disabling scripting and Active X controls will prevent the display of the spoofed address bar or page, but most users get frustrated with repeated alert boxes if their settings show prompts to allow or disallow such coding, and disabling these would prevent many web pages form even displaying in a browser window full stop.

MillerSmiles.co.uk operates a daily news feed which summarises each report of spoof email and phishing scams as they are published on their site which already houses hundreds of examples sent in to them. Their news feed can be used on other web sites using their script builder and can be accessed in news readers and aggregators, see http://www.millersmiles.co.uk/identitytheft/scam_alert_rss_feed.php for more.

 

Avoid becoming a victim of a Phishing Scam by following these simple rules ...

Treat all email with suspicion - What you see in the email body can be forged, the sender's address or return address can be forged and the email header can also be manipulated to disguise its true origin

Never use a link in an email to get to any web page. If you must go there, type the URL directly into your browser's address bar

Never send personal or financial information to any one via email

Regularly log into your online accounts - don't leave it for as long as a month before you check each account

Scrutinise your bank, credit and debit card statements and ensure that all transactions are legitimate. If anything is suspicious, contact your bank and all card issuers

Ensure that all of your software is up to date - for instance, if you use Microsoft's Windows, run Windows Update every day when you first connect to the internet. If you use other operating systems or browsers then check daily for patches or updates. Security loop holes are regularly discovered in software and many of these scams have utilised a vulnerability in Internet Explorer

If you must use your financial information online, ensure that you have adequate insurance against fraud

Utilise the Trusted Zone facility in Internet Explorer browsers to allow active scripting only from web sites that you implicitly trust, and set the Internet Zone to prompt you to allow or disallow active scripting in sites that you do not implicitly trust. This will prevent the unknown operation of these malicious scripts which are involved in these phishing scams. Its a nuisance to most internet users to be prompted to allow or disallow such a widely used form of scripting, but for safety purposes it really is a must.

Use a Pop-up blocker. Such a program would prevent the display of pages born with their address bar spoofed. Add only implicitly trusted sites to the 'allow pop ups' section of any blocker.



MillerSmiles.co.uk
Its a common internet fraud crime and internet users are the target of Spoof email hoax scams and fake or forged web pages.
© Copyright Oxford Information Services Ltd. All Rights Reserved.
All other logos and trademarks in this site are property of their respective owners