News

Internet Explorer Open to Phishing Attack

After evaluating a publicly reported phishing method that affects Internet Explorer among other browsers, Microsoft published a security advisory this week to let users know that it will not issue a security update to close off the attack vector.

"This is an example of how current standard Web browser functionality could be used in phishing attempts," the Microsoft advisory reads in a FAQ question called, "Will Microsoft issue a security update to address this threat?" (The short answer to the FAQ question is "No.")

The problem arises from having multiple, overlapping windows, some of which are not identified by source. Phishing scammers could use the behavior to redirect a user to a trusted site. Simultaneously, the phishing site would open its own, unidentified browser window as a dialog box on top of the trusted site's window, positioning the dialog box so that the legitimate URL remains visible.

For example, let's say the scammer wants to pull the typical bank phishing scam, where the phishing site operator spams millions of users with a faked message from a legitimate bank. The message directs customers to update their personal financial information at a Web site. The phisher's hope is that a few of the bank's customers will fall for the fake message, visit the phishing site and enter their personal information.

Users have become more sophisticated about checking that URLs correspond to the institution to which they are supposedly sending their updates. The new phishing technique gets around that problem for the phishing organization. In the example, the user would see the URL of the trusted bank. However, the phishing organization would have simultaneously opened another window with no URL and positioned it on top of the bank's Web page, obscuring parts of it and offering fields for the customer to enter information. That information would be sent to the phishing organization.

In justifying a decision not to change the behavior of Internet Explorer, Microsoft pointed to its current guidance on avoiding spoofing and phishing attacks. "If a particular window or dialog box does not have an address bar and does not have a lock icon that can be used to verify the site's certificate, the user is not provided with enough information on which to base a valid trust decision about the window or dialog box," the company's advisory reads.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • How To Ransomware-Proof Your Backups: 4 Key Best Practices

    Backups are the only guaranteed way to save your data after a ransomware attack. Here's how to make sure your backup strategy has ransomware mitigation built right in.

  • Microsoft Buys Mover To Aid Microsoft 365 Shifts

    Microsoft announced on Monday that it bought Mover to help organizations migrate data and shift to using Microsoft 365 services.

  • Microsoft Explains Windows 7 Extended Security Updates Setup Process

    Microsoft this week described installation instructions for volume licensing users of Windows 7 Service Pack 1 to get Extended Security Updates (ESU) activated on PCs.

  • Microsoft Azure Active Directory Outage Blocks Access for 2.5 Hours

    Issues affecting the Azure Active Directory service blocked customers from accessing applications early on the morning of Oct. 18 for about 2.5 hours.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.