A new potential phishing attack vector was revealed this week that might
put Microsoft Internet Explorer users at risk if they’re not careful.
The Microsoft Internet Explorer Pop-up Window Title Bar Spoofing Weakness
has been rated as less critical by security firm Secunia and has been
assigned the CVE reference of CAN-2005-0500. The potential vulnerability was
discovered by a security researcher going by the name of Bitlance Winter who
posted the exploit code to a popular security disclosure list.
Bitlance’s IE phishing exploit apparently takes advantage of a weakness
in the way script-initiated pop-up windows are handled by IE.
“Windows XP SP2 forces the title bar to be present in script-initiated
Internet Explorer windows,” Bitlance Winter wrote. “In the title bar, domain
name is listed before the page title.”
“Using magic DNS, this domain name can be exploited by malicious people to
trick users into visiting a malicious pop-up window,” he added.
In the exploit code as posted by Bitlance Winter, financial institution
Citibank is used as an example.
The code loads the real Citibank Web site in
the main window and opens a pop-up window that, as specified by SP2, displays the address of the site, which in the exploit example, does in fact begin with
the Citibank.com domain. However, upon closer examination, it’s really just a
longer address (http://securelogin.citibank.com”+”.e-gold.com) that cannot
be seen in the pop-up window at the size the script specified for the
window.
IE isn’t the only browser targeted by phishers hoping to confuse users with
some form of spoofed address bar. Alternative browsers such as Mozillla and
Firefox were recently reported to be at risk from an IDN Spoofing Security Issue.
In that scenario, the
phisher uses international characters in an address bar to trick users into
thinking the site is legitimate.