|
|
TOP STORY — info you need to make Windows work
SPECIAL REPORT: Hackers grab IE's address bar
By Brian Livingston
Scam artists on the Internet have developed a way to make your browser's
address bar say that you're viewing a legitimate Web site — when you're
actually visiting a malicious site instead. The new technique is known to
affect Microsoft's Internet Explorer (IE) browser, but also affects the
Netscape browser and possibly others as well.
This new rip-off method is a disturbing evolution in a fast-growing wave
of e-mail scams called "phishing." The typical scheme involves an attempt to
get victims to reveal a credit-card number, online banking password,
or other personal information.
Here's how the latest exploit works:
• A convincing-looking e-mail. You receive an e-mail message
that looks exactly like a real notice from a bank, PayPal, eBay, or other
financial institution. The message informs you that your account information
has been lost in some way, and instructs you to visit the institution's Web
site to re-enter your account details.
• A convincing-looking Web page. A link in the message, when
clicked, takes you to a page that looks exactly like the official site you'd
expect to see, complete with a corporate logo and other design features.
But the page is actually on a temporary domain name that's been set up for
this purpose by the "phisher."
• A hijacked address bar. Up to this point, the phishing exploit
has been identical to hundreds of older scams that have plagued the Internet
for months. The new wrinkle — and the most frightening aspect —
is that the address bar of your browser says you're on a page of the
financial institution's site. The actual Web address is invisible, because
the phisher's site has run code that replaced your browser's real address
bar with a fake one.
The fake address bar has an input box that actually works if you type in
another site you wish visit. But the code that put up the fake address bar is
still running until you close the browser. This raises the possibility
— so far unseen in the wild — that the phisher's code could record
other passwords you happen to enter at other sites.
How the scam looks
The graphic at left shows an example of an IE address bar that's been
taken over by a phishing Web site. The address bar looks normal, but it
isn't. It's a graphic (with a working input box) that's been positioned
where IE's actual address bar should be.
The address in the fake address bar — part of a real-life example that
was launched on Mar. 31 — starts out with "https://". This suggests that
you're in a secure HTTP session. But you aren't.
The domain name that's shown in the address bar in this example is
"web.da-us.citibank.com". This is followed by a path to an actual login
page at Citibank. The address that's displayed in the address bar is
identical to the one that Citibank customers would see if they were
visiting their genuine online Citibank account.
The address of the page the victim is really visiting is hidden. The
real address, in this case, is dotted-decimal (in 255.255.255.255 format)
so as to obscure the phisher's true identity. Such an odd-looking Web address
would raise questions in the minds of many Internet users, if they could see
it. This, of course, is why the fake address bar shows a respected
address instead.
The logos and designs on the phishing site are perfect copies of the
actual corporate site. For this reason, up to 5% of customers who receive a
phishing e-mail actually enter sensitive information into the hacker's site,
according to a new organization that combats such fraud, the
Anti-Phishing Working Group.
Click the graphic, above, for an enlarged view and a description of the
exploit. Or read the
description at the anti-phishing site.
Weaknesses that give the scam away
The address-bar switcheroo is accomplished by the phishing Web site running
an HTML Application (HTA) or JavaScript when the visitor clicks the "official"
link. The malicious code hides the real address bar and displays the fake
one instead.
This creates a few weaknesses that you can use to detect a phony
address bar when you see one:
• A short glimpse of the real Web address. Especially on slow,
dial-up connections, the real Web address you're visiting is displayed in
the actual address bar for an instant before it's hidden and replaced with
the fake address bar (and its "official" address).
• No "lock" icon. The phony address bar claims that a secure
HTTP session is taking place. (The address line starts with "https://").
But the malicious code isn't able to make an SSL "lock" icon appear in the
browser's status bar, which usually indicates a secure session. This may change
as phishers become more sophisticated — be sure to read the section
below on ways the lock itself can be faked.
• Default color scheme only. At this writing, the phishing code
uses browser-detection techniques to display an address bar that's appropriate
for IE, Netscape, and so forth. But the fake address bar
uses only the default Windows colors. If you've configured Windows to use a
different color scheme, the fake address bar will look, well, fake.
(You can use the Control Panel's Display applet to change Windows' color
scheme. Click the Appearance tab, then select a Scheme in which the menus of
applications have a color other than the standard background color.)
How to block the address-bar switcheroo
This phishing scam is based on a pop-up window — lacking menus or scroll
bars — that shows up where you expect a normal address bar to be.
"Most pop-up blockers would stop that attack," says Scott Mecredy,
senior product manager for Earthlink, one of the U.S.'s largest Internet
service providers.
Ah, but which pop-up blocker should you choose? CNET's Download.com site lists
184 of them.
One such blocker has recently received multiple plaudits.
PopUpCop received a 2003 PC Magazine
Editor's Choice as well as the highest rating (4.5 out of
5 stars) in a recent BotSpot
comparison test. If you go to that page and then click
BotSpot's "Back" link to check each individual product's review, you'll see
ratings of each program on nine different features.
As for Download.com, the site doesn't yet have a rating for PopUpCop —
or 122 other blockers out of the 184 that are listed. Those programs haven't
yet been reviewed. (Trying to review 184 similar utilities must be a
thankless task, eh?)
More info
Most of the pop-up blockers listed in the reviews mentioned above require
a registration fee if you wish to use them beyond a trial period. If you're
looking for a no-cost pop-up stopper, Google and several other companies
offer free toolbars that include this function. PC Magazine in
March 2004 published a short review of the Google toolbar and other
alternatives, some of which also work with the Netscape and Mozilla browsers.
More info
One way to check out your pop-up blocker, whichever one you may decide to use,
is to visit a test page provided by Pop-Up Dummy. This program, developed by
Ksoft of Philadelphia, Penn., offers the page as a way to demonstrate the many
types of pop-ups that it blocks, but you can try the test with any blocker.
More info
The Earthlink toolbar solution
Earthlink itself recently introduced a free, downloadable toolbar that
integrates into IE to stop phishing attacks.
The Earthlink download includes a pop-up blocker, a Google search input box,
and an alert mode called ScamBlocker. The latter feature, if enabled,
re-directs your browser to a
warning page if you attempt to visit a Web
site that's on Earthlink's list of known phishing exploits. You can
override ScamBlocker and visit the hacker site after viewing the warning
— but I see no reason why anyone would do so.
Earthlink's Mecredy says users who have the toolbar installed would have been
protected from the Mar. 31 Citibank-style attack. "The bogus URL is contained
in our list of fraudulent URLs," Mecredy says, "so the user would get a warning
before they ever went to that site." For Earthlink subscribers, in addition,
"If you're using our spam blocker, you wouldn't have gotten that spam in the
first place," Mecredy asserts.
At present, Earthlink is relying upon a list of known phishing sites that's
based on reports sent to the Anti-Phishing Working Group. But the ISP's
block list will soon be updated in real-time by Brightmail, a well-known
anti-spam service that constantly monitors new spam content. "We're targeting
some time this month" for Brightmail's rapid-update service to start blocking
new URLs within minutes of their discovery, Mecredy says.
I wrote a complete column on the anti-phishing group and its role in
developing Earthlink's toolbar in my May 3 Executive Tech newsletter.
More info
Will pop-up blockers be enough?
Pop-up blockers were invented to eliminate pop-up windows that are, let's face
it, mostly just annoying. Suddenly, a major new benefit of such blockers is
that they can combat phishers' attempts to replace your browser's address bar
with a phony one. I now recommend that a good pop-up blocker should be part of
every PC user's defenses. That's in addition to having a constantly updated
antivirus program and a firewall.
But some experts feel that even the best pop-up blockers can't stop all
attempts to hijack your address bar.
Mark Steudel is information technology manager for Panicware, the makers of
Pop-Up Stopper. Pop-Up Stopper Companion 4.0.1 is one of only six pop-up
blockers that received a perfect score of 5 out of 5 stars in the
aforementioned Download.com listing of 184 such programs.
"A lot of the previous versions of this [scam] did use a pop-up," says Steudel.
"But the latest one uses Dynamic HTML and JavaScript. It actually creates
a frame on your page."
Frames, of course, are a supported feature of all modern browsers and
cannot be disabled. The latest phishing scams, Steudel says, suppress your
legitimate address bar and replace it with a borderless frame. This, again,
looks exactly like the address bar you expect, but it contains the address
of a trusted financial institution and not the phishing site you're actually at.
"Earlier versions of this would be blocked by Pop-Up Stopper,"
says Steudel. But frames are such an integral feature of today's browsers
that phishers may have finally found a technique that's difficult or
impossible for legitimate users to absolutely rule out.
You can't trust the "lock" icon, either
To make matters worse, the small lock icon that appears to indicate a secure
session in the status bar of all modern browsers can't be trusted,
according to computer security authorities.
Scam artists can buy a digital certificate and use it to establish
"secure" communications, like anyone else. The lock icon would show up in
the status bar, just as you'd expect. Then the certificate (and its associated
Web site) could be abandoned the day after a few million phishing e-mails had
gone out, acquiring hundreds or thousands of credit-card numbers.
But phishers needn't bother to get any certificates. The lock icon doesn't even
prove that any encrypted communications at all are being conducted. The SANS
Institute, a respected security research and training organization, published
last month an analysis of this problem by Dr. Neal Krawetz of the
Secure Science Corporation. He wrote:
-
"One of the SSL encoding methods is 'plain text.' Most SSL servers have this
disabled by default, but most browsers support it. When plain text is used,
no central certificate authority is consulted and the user never sees a
message asking if a certificate should be accepted (because 'plain text'
doesn't use certificates). Keeping that in mind, the little lock icon may
not even indicate an encrypted channel. The little lock only indicates an
SSL connection."
In addition, the same techniques that are being used to display a fake
address bar could conceivably be used to poke a fake image of a lock
onto a status bar.
IE lets any Web site replace any dialog, anywhere
The most interesting demonstration of the inability of Internet Explorer to
defend its basic user-interface features from hackers was created recently by
Andrew Clover, a British programmer who currently works in Germany.
As described
by Bmonday.com, a blog that links to the actual demonstration, Clover's code
causes a security warning window to open — but the text is immediately
covered by a different, "chromeless" window.
If you have Active Content enabled in IE's Tools,
Options, Advanced dialog box, Clover's borderless window provides reassuring
information and an easy-to-click "Yes" button. The trick covers up the warning
text and the "No" button that would ordinarily appear. (If you go to Clover's
demonstration page, wait a few seconds for the ActiveX content to load, then
drag the title bar of the demo window around to see that something tricky
is going on.)
Theoretically, any Web site could use these same techniques to make any
dialog box that's opened by IE appear to say or do anything.
The answer is a mystery wrapped in an enigma
So if pop-up blockers only stop some, not all, address-bar switcheroos —
and if even "lock" icons and security-warning dialog boxes can't be trusted
— how can PC users ensure that they won't fall prey to the latest
phishing attacks?
Microsoft and others advise that you should double-click the lock icon,
whenever you see it in the status bar of IE, and read the dialog box
that appears. This can help you verify that the name on the digital
certificate matches the site you expected to be visiting.
That's a worthwhile technique. But with the possibility of "chromeless" windows
that can cover up and seemingly replace the text of any security warning,
it may not be 100% reliable. And few people will likely take the time to
double-click every lock icon and interpret the results every time they
use PayPal or access their online bank.
The unfortunate answer is that social-engineering attacks, such as the
phishing expeditions that try to get you to reveal your credit-card numbers and
passwords, require social-engineering defenses. That means people must learn
not to do things that defy common sense. It's ridiculous to think that your
bank "forgot" your credit-card numbers and needs you to "re-enter them."
But these exact appeals have worked because most people want to be on good
terms with their bank and want to provide accurate information when asked
to do so.
Pop-up blockers, antivirus programs, and firewalls can do only so much.
At some point, the public needs to be sufficiently educated about computers
so that preposterous "re-enter your account information" e-mails go
universally unanswered.
This isn't to say that links in e-mails should never be clicked. It's saying
that it should become second nature for us to instantly reject any
appeals that violate basic concepts of logic. Utilities such as Earthlink's
ScamBuster toolbar can help warn of known phishing sites. But ultimately,
we need to learn that messages saying, "You need to re-enter your credit card
numbers," should spark the response, "Oh, no, I don't."
To send me more information about this, or to send me a tip on any other
subject, visit
WindowsSecrets.com/contact. You'll receive a gift certificate for a book,
CD, or DVD of your choice if you send me a comment that I print.
RECOMMENDED READING — my book reviews of tech topics
Always Use Protection
Don't you wish there was a short, simple book you could give to people
who are just starting out with computers — so they don't have to
learn everything the hard way and you don't need to be their unpaid
tech-support department? Always Use Protection is that
book. (A two-chapter excerpt called Everyday Security and Registry
Tricks was the bonus download for Brian's Buzz's paid subscribers from
Mar. 18 to Apr. 18.)
The work is subtitled A Teen's Guide to Safe
Computing, and that's the way it's being marketed, but I think there's
a lot of common sense in here that older people could benefit from learning,
too. Newbies often think that there's nothing about their PCs that malicious
hackers would be interested in. From viruses to stolen instant-messaging
accounts and from firewalls to identity theft, Dan Appleman's new, 266-page
book makes it clear that it's a dangerous Internet out there and explains how
you can watch out for yourself.
More info:
United States /
Canada /
Elsewhere
PC Magazine's Windows XP Solutions
One of the first things I turn to when a new issue of PC Magazine comes
out is the Solutions section, where the tips are. Now the mag has
collected all of its great XP advice between the covers of a book. As much as
we think we know about good ol' apps like Outlook Express and Media Player,
author Neil Randall comes along and reveals hidden nooks and crannies we never
really grokked.
Tweakers will be in heaven with the customization tips, while those
who find themselves stuck in nonbootable hell will turn for salvation to
the recovery tips. That means there's something here for just about everyone.
More info:
United States /
Canada /
Elsewhere
Excel Hacks: 100 Industrial-Strength Tips and Tools
Like the other books in O'Reilly's excellent Hacks series (such as
Google Hacks and
Windows XP Hacks), Excel Hacks progresses from
easy-to-do procedures to more complex, but also more rewarding, mini-programming
projects. You can start from the beginning and quit when you've achieved what
you want, or start in the middle and hone your skills all the way to the
end. Husband and wife team David and Raina Hawley are consulting experts in
Excel, with their own
tips site, and it shows
in this book. More info:
United States /
Canada /
Elsewhere
FORWARDING INSTRUCTIONS — news gains value when
it's shared
Please share this information with your friends
You're encouraged to refer your friends and colleagues to this free
newsletter. Because most e-mail programs don't correctly display a formatted
message that's been forwarded, simply call people's attention to
the permanent Web address of this issue:
BriansBuzz.com/w/040506.
HERE'S A TIP — you'll get a better newsletter if you choose the
paid version
You're reading the free version of Brian's Buzz on Windows
Subscribers to the paid version receive additional information in each issue.
Some of the extras this week are:
- Sasser worm highlights MS04-011 problems.
Everyone's saying you should install Microsoft's latest Bag-o-Patches to stop
the plague of Sasser attacks. But I've found so many problems with the MS04-011
update — and it's so easy for you to lock out Sasser and its ilk without
making your system unusable, as the patch can do — that I believe you
need the facts before you make a serious mistake.
- Cut Adobe Reader's load time by 60%. Yes, we all use that
slow, slow, slow Reader application to open those PDF files we find everywhere
on the Web. Now there's a free program that opens PDF files so fast that it's
actually a pleasure to read them.
In addition, paid subscribers are entitled to a free bonus download at
least once every three calendar months. I license valuable material on Windows
and make it available to paid subscribers before it's available to anyone else.
You also get to search and read all past paid newsletter content.
You choose the amount you wish to contribute. Contributions support
our research into the secrets of Windows. That makes
the paid version of the newsletter even better, as we reveal to you techniques
that we hadn't suspected even existed.
To upgrade, simply make a contribution of any amount that you choose.
If you do this by May 20, 2004, you'll immediately be sent the full, paid
version of this week's newsletter.
To upgrade to the paid version, please visit
WindowsSecrets.com/upgrade.
Thanks in advance.
BRIAN'S BOOKSHELF — new e-books from the author
Spam-Proof Your E-Mail Address
This 27-page e-book in PDF format gives you step-by-step instructions
that can eliminate 97% of the spam that would otherwise clog your e-mail
account. You could call it "Brian Livingston's Spam Secrets." The book
is the result of months of experiments and tests I conducted, and I now
receive little or no spam to the addresses I used as guinea pigs. These tests
show that you can actually reduce your volume of spam to practically nothing,
not just battle an unstoppable and ever-growing flood. The methods I describe
work with Windows, Apple, and Linux and don't require any filters or block
lists — but you can use those in addition to the book's techniques, if you wish.
More info
WACKY WEB WEEK — playing for you the Internet's greatest bits
The Shining, re-enacted by bunnies
In homage to the late, great Stanley Kubrick, and with apologies to Steven
King, Jennifer Shiman has created a Flash animation called The Shining in 30
Seconds as Re-Told by Bunnies. This is just the kind of weird, offbeat,
cartoony humor that I know my readers like.
As a result of posting this mini-movie, the entity behind all of this fun,
Angry Alien Productions, says it's been deluged with requests to parody other
films. The list of suggestions includes everything from Jaws, Poltergeist,
Alien, and Evil Dead 2 to Dr. Strangelove, Lord of the Rings, and more. Note:
The animation plays an audio track, so turn down your speakers if you're in a
cubicle.
Play animation
USEFUL LINKS — more stuff that's good to know
In this section, I provide links to stories I've reported in other media that
you might find interesting.
Proposals offer small steps to stop spam
Spam has grown to dominate legitimate e-mail to such an extent that leaders of
the computer industry might actually be forced to make significant changes to
the worldwide e-mail system as early as this year. I examined the three leading
proposals that offer systemic e-mail changes — one of which would make an
excellent first step.
More info
Phish this, you scum
Imagine you had a Web browser that said things like, "The Internet site
you're about to visit is known to steal credit-card numbers and use them
in unauthorized ways." Now imagine that you can actually use such an application
today. It's already been developed and it's being distributed — free.
More info
|
|
