News

Internet Explorer Open to Phishing Attack

After evaluating a publicly reported phishing method that affects Internet Explorer among other browsers, Microsoft published a security advisory this week to let users know that it will not issue a security update to close off the attack vector.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory reads in a FAQ question called, "Will Microsoft issue a security update to address this threat?" (The short answer to the FAQ question is "No.")

The problem arises from having multiple, overlapping windows, some of which are not identified by source. Phishing scammers could use the behavior to redirect a user to a trusted site. Simultaneously, the phishing site would open its own, unidentified browser window as a dialog box on top of the trusted site's window, positioning the dialog box so that the legitimate URL remains visible.

For example, let's say the scammer wants to pull the typical bank phishing scam, where the phishing site operator spams millions of users with a faked message from a legitimate bank. The message directs customers to update their personal financial information at a Web site. The phisher's hope is that a few of the bank's customers will fall for the fake message, visit the phishing site and enter their personal information.

Users have become more sophisticated about checking that URLs correspond to the institution to which they are supposedly sending their updates. The new phishing technique gets around that problem for the phishing organization. In the example, the user would see the URL of the trusted bank. However, the phishing organization would have simultaneously opened another window with no URL and positioned it on top of the bank's Web page, obscuring parts of it and offering fields for the customer to enter information. That information would be sent to the phishing organization.

In justifying a decision not to change the behavior of Internet Explorer, Microsoft pointed to its current guidance on avoiding spoofing and phishing attacks. "If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," the company's advisory reads.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Ending Azure Container Service Support in 2020

    Microsoft gave notice earlier this month that it will be ending its Azure Container Service on Jan. 31, 2020.

  • Microsoft Releases Surface Diagnostic Toolkit for Business

    Microsoft released a new tool, Surface Diagnostic Toolkit for Business, earlier this month, providing a means for IT pros to find and troubleshoot problems on Microsoft Surface devices.

  • How To Enable Guest Access for Office 365

    While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

  • Microsoft Now Supports OpenSSH in Windows Server 2019

    Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.