Topic: ALERT:Phishing exploit in IE, Firefox, Safari, and others  (Read 1341 times)

0 Members and 1 Guest are viewing this topic.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
ALERT:Phishing exploit in IE, Firefox, Safari, and others
« on: June 22, 2005, 10:28:19 am »
Phishing attacks are fast becoming the most popular type of attack there is on the Internet, and it's little wonder why when you consider the vast rewards to be had: credit card numbers, bank accounts, passwords, PINs ... the list is endless. Perhaps that's why Internet security firm Secunia decided to issue a warning about a major security hole in Internet Explorer (for Windows and Mac), Firefox, Camino, Safari, and iCab browsers that could allow phishing on a grand scale.

The flaw, of which Secunia has provided a proof-of-concept, takes advantage of the fact that JavaScript dialog boxes "do not display or include their origin." By carefully crafting some JavaScript, a clever attacker could force JavaScript windows to pop up while you're browsing a trusted site. To an unsuspecting user, the dialog box would appear to be from the trusted site, but in actuality it could point anywhere--most likely to an identity thief's log file.

Microsoft has confirmed the presence of this bug in IE, but has said it has no plans at this time issue a patch. The flaw, Microsoft said, is due to a shortcoming in JavaScript itself, not IE. Microsoft has posted a guidance text on how to avoid being fooled by such techniques.

Mozilla, the maker of Firefox, declined to comment as well. Only the Norwegian-based Opera browser is immune to this attack, thanks largely to a recently-released patch.


ERIC'S OPINION
If you're a black hat these days, phishing is where it's at. It's almost funny to see how the hacker community has morphed from a bunch of vandalistic hoodlums into a bunch of capitalistic hoodlums. Take viruses, for example. In the old days, a virus did a variety of nasty things to your PC: erasing files, killing your boot sector, and so forth. Not anymore.

No, the going thing these days is to zombify your machine, assembling armies of hundreds of thousands of compromised PCs. These "armies" are sold as spam slaves to the scum-sucking, parasitic, lowlife dredges of the animal world commonly known as "spammers," who then use them to bounce billions of Viagra porn ads into our inboxes daily. A good army of 150,000 PCs can net a hacker US$30,000 for just one spam round. It makes organized crime look petty by comparison.

Phishing is even more lucrative, as most phishers operate outside of the countries they target. Prosecution is difficult to impossible, and that's if you find the phishers in the first place. It's estimated that as much as $1 trillion a year is lost due to scams like phishing.

The sad part is, phishers can defeat just about any security measure you put in an application because they depend on the dumbest link in the whole chain to get their dirty work done: the human. Until people are educated as to the consequences of clicking an "OK" box, phishers and their ilk are going to continue to thrive. That's something no patch from anyone is going to fix.

Help prevent identity theft from phishing scams
http://www.microsoft.com/athome/security/email/phishing.mspx

MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline E_Look

  • Grand High Scribe
  • Captain
  • *
  • Posts: 6446
Re: ALERT:Phishing exploit in IE, Firefox, Safari, and others
« Reply #1 on: June 22, 2005, 11:35:41 pm »
+1

Thanks for the public service message.

Offline Mr_Tricorder

  • 3D modeler /animator
  • Hot and Spicy
  • Lt. Commander
  • *
  • Posts: 1040
  • Gender: Male
  • Trekkie at Large
    • My myspace page
Re: ALERT:Phishing exploit in IE, Firefox, Safari, and others
« Reply #2 on: June 23, 2005, 12:26:41 am »
I guess I better switch to Opera as my main browser and not just my backup one.

Offline Elvis

  • Lt. Junior Grade
  • *
  • Posts: 322
Re: ALERT:Phishing exploit in IE, Firefox, Safari, and others
« Reply #3 on: June 23, 2005, 07:40:29 am »
Quote
I guess I better switch to Opera as my main browser and not just my backup one.

The real solution is too click on the "X" in the top right hand corner of the java script box and not "ok". Everyone who uses the computer has got to understand though.
« Last Edit: June 23, 2005, 12:53:02 pm by Elvis »

Offline Mr_Tricorder

  • 3D modeler /animator
  • Hot and Spicy
  • Lt. Commander
  • *
  • Posts: 1040
  • Gender: Male
  • Trekkie at Large
    • My myspace page
Re: ALERT:Phishing exploit in IE, Firefox, Safari, and others
« Reply #4 on: June 23, 2005, 10:16:44 am »
I never click "ok" anyway unless I know exactly what I'm saying ok to.  I learned my lesson about that "ok" button years ago.