Phishing attacks are fast becoming the most popular type of attack there is on the Internet, and it's little wonder why when you consider the vast rewards to be had: credit card numbers, bank accounts, passwords, PINs ... the list is endless. Perhaps that's why Internet security firm Secunia decided to issue a warning about a major security hole in Internet Explorer (for Windows and Mac), Firefox, Camino, Safari, and iCab browsers that could allow phishing on a grand scale.
The flaw, of which Secunia has provided a proof-of-concept, takes advantage of the fact that JavaScript dialog boxes "do not display or include their origin." By carefully crafting some JavaScript, a clever attacker could force JavaScript windows to pop up while you're browsing a trusted site. To an unsuspecting user, the dialog box would appear to be from the trusted site, but in actuality it could point anywhere--most likely to an identity thief's log file.
Microsoft has confirmed the presence of this bug in IE, but has said it has no plans at this time issue a patch. The flaw, Microsoft said, is due to a shortcoming in JavaScript itself, not IE. Microsoft has posted a guidance text on how to avoid being fooled by such techniques.
Mozilla, the maker of Firefox, declined to comment as well. Only the Norwegian-based Opera browser is immune to this attack, thanks largely to a recently-released patch.
ERIC'S OPINIONIf you're a black hat these days, phishing is where it's at. It's almost funny to see how the hacker community has morphed from a bunch of vandalistic hoodlums into a bunch of capitalistic hoodlums. Take viruses, for example. In the old days, a virus did a variety of nasty things to your PC: erasing files, killing your boot sector, and so forth. Not anymore.
No, the going thing these days is to zombify your machine, assembling armies of hundreds of thousands of compromised PCs. These "armies" are sold as spam slaves to the scum-sucking, parasitic, lowlife dredges of the animal world commonly known as "spammers," who then use them to bounce billions of Viagra porn ads into our inboxes daily. A good army of 150,000 PCs can net a hacker US$30,000 for just one spam round. It makes organized crime look petty by comparison.
Phishing is even more lucrative, as most phishers operate outside of the countries they target. Prosecution is difficult to impossible, and that's if you find the phishers in the first place. It's estimated that as much as $1 trillion a year is lost due to scams like phishing.
The sad part is, phishers can defeat just about any security measure you put in an application because they depend on the dumbest link in the whole chain to get their dirty work done: the human. Until people are educated as to the consequences of clicking an "OK" box, phishers and their ilk are going to continue to thrive. That's something no patch from anyone is going to fix.
Help prevent identity theft from phishing scamshttp://www.microsoft.com/athome/security/email/phishing.mspx
Topic: ALERT:Phishing exploit in IE, Firefox, Safari, and others (Read 1323 times)