[Dailydave] Interesting phish
Fyodor
fyodor at insecure.org
Mon Feb 12 16:13:30 EST 2007
On Mon, Feb 12, 2007 at 02:16:23PM -0500, Tyler Krpata wrote:
> I had an interesting Bank of America phish pointed out to me...it gets
> around the "wrong URL" problem by popping up a new window which
> disables the location bar and creates a lookalike IE location bar of
> its own which contains a legit URL. This is something I had actually
IMHO, pages should not be able to hide your location bar, titlebar, or
menubar, prevent you from resizing/moving/scrolling windows, or
anything of the sort. Firefox has for many years offered config
options to protect you from all this. Unfortunately, some of them are
still not enabled by default. CERT has a good description here of the
features (related to a similar spoofing exploit which used XUL):
http://www.kb.cert.org/vuls/id/262350
I don't know if IE offers this sort of protection. The release notes
for IE7[1] at least note a way to prevent status bar spoofing (you
need to enable this explicitly though) and they finally decided that
web pages should not be able to secretly snarf all of the data in your
clipboard.
Cheers,
Fyodor
[1] http://msdn2.microsoft.com/en-us/ie/aa740486.aspx
More information about the Dailydave
mailing list