[NBLUG/talk] [Fwd: [PCUGR Digest 1240] phishing method exploits
browser features
Paul Larkin
larkin at jps.net
Tue Dec 14 22:41:08 PST 2004
(I deleted message #1, irrelevant here).
So do youse think this is an issue? Thanks.
-------- Original Message --------
Subject: [PCUGR] Digest Number 1240
Date: 14 Dec 2004 07:50:28 -0000
From: pcugr at yahoogroups.com
Reply-To: pcugr at yahoogroups.com
To: pcugr at yahoogroups.com
2. New phishing method exploits browser features- 12/13/04
From: Ben Ezzell <ben at ezzell.org>
________________________________________________________________________
________________________________________________________________________
Message: 2
Date: Mon, 13 Dec 2004 20:16:31 -0800
From: Ben Ezzell <ben at ezzell.org>
Subject: New phishing method exploits browser features- 12/13/04
Subject: Oxygen3 24h-365d [New phishing method exploits browser features-
12/13/04]
"He who is not very strong in memory should not meddle with lying."
Michel de Montaigne (1533-1592); French essayist.
- New phishing method exploits browser features -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)
Madrid, December 13 2004 - Secunia has reported a method of attack that
could affect many types of browser, such as Internet Explorer, Mozilla,
Firefox, Opera, Konqueror and Safari, and which could be used for fraud and
phishing attacks in particular.
This type of attack is based on the fact that a website can inject content
into another website's window if the target name of the window is known.
This could be exploited by a malicious website to spoof the content of a
pop-up window opened on a trusted website. A user with two websites open on
their system -the attacker's and another- could click on a link to open
another page which could be spoofed by the attacker.
An attack could start with a false email sent by the malicious user to the
intended victim with a link that opens two pages: the real one
corresponding to a bank, say, and the attacker's web page. The victim would
see the genuine page and when clicking on a link on the page, a pop-up
would appear requesting the user name and password. This pop-up is really
opened up by the malicious web page in the background and therefore any
data entered goes straight into the hands of the attacker.
There is some argument as to whether the situation described above is due
to a legitimate feature in the browsers or a vulnerability. In any event,
the method is completely functional and could be used for phishing-type
attacks.
At present there are no updates or patches to prevent these attacks. For
this reason, it is highly advisable to make sure you don't have more than
one window open when using a website of a confidential nature, such as
online banking services.
More information from the Secunia advisory is available at:
http://secunia.com/secunia_research/2004-13/advisory/
NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the URL.
--
Paul
More information about the talk
mailing list