Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Jan 8th, 2009, 11:56am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   MSIE URLSpoof		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: MSIE URLSpoof  (Read 408 times)
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
MSIE URLSpoof
« on: Jan 18th, 2004, 9:48pm »		 Quote Quote  Modify Modify
Straight cut'n'paste from Panda Advisory posting...
 
Madrid, January 14, 2004 - Over the last few days, many users have been receiving e-mails telling them that, due to technical or other problems, they need to access a web page to validate their bank details.  
 
One of the most widespread examples of these is one aimed at CITIBANK clients and arrives in an email with the subject "Important Fraud Alert from Citibank". The message itself says that due to a series of operations aimed at detecting illegal banking activity, users need to check if their data is correct by going to a certain website.
 
All these e-mails are false, and are aimed at tricking users into divulging confidential data such as account numbers, user names, passwords or other secret codes and numbers.
 
To do this, generally the messages have been carefully constructed in HTML to perfectly resemble genuine messages sent by the online banking service and deceive users.
 
These mails have been cunningly designed to exploit the URLSpoof vulnerability -as yet uncorrected- in Microsoft Internet Explorer. This flaw makes it possible to trick a user into thinking that the web page they are accessing -from a link on the e-mail- is that of a bank, when really the web page is a replica of the original, hosted elsewhere.
 
In this way, if the user enters the data they are asked to, this will fall straight into the hands of the malicious user that has created the e-mail and web page.  
 
For this reason, Panda Software recommends that all users treat with extreme caution e-mails from banks requesting information, as it is highly likely that it is part of an attempted fraud. In any event, before revealing any confidential information, users should confirm authenticity of the message by contacting the bank in question.  
 
Given the large amount of fraudulent e-mails in circulation, Panda Software has released updates of its products to detect and neutralize any attempt to exploit the Internet Explorer vulnerability mentioned above. These can be downloaded from http://www.pandasoftware.com.
 
Detailed technical information on the URLSpoof vulnerability is available from Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/.
IP Logged
... but crap arrives pretty much straight away.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: MSIE URLSpoof
« Reply #1 on: Jan 18th, 2004, 10:02pm »		 Quote Quote  Modify Modify
Here is a link to Symantec's fix on this dated 31-Dec-03.
http://securityresponse.symantec.com/avcenter/venc/data/urlspoof.exploit .html
 
Looks like up-to-date Norton users are protected too.  Or is this an old URLSpoof'er?
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Re: MSIE URLSpoof
« Reply #2 on: Jan 18th, 2004, 10:16pm »		 Quote Quote  Modify Modify
This is one of those cases where I think that a software fix needs to come from MS. Anyway, there are loads of legitimate HTML codeforms that don't use the 'flaw' that can also show fake website details - it just depends how hard someone is expected to look to spot the spoof!
 
There's nothing any security company can do if someone clicks on the spoofed link... Wink
IP Logged
... but crap arrives pretty much straight away.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5960
Re: MSIE URLSpoof
« Reply #3 on: Jan 19th, 2004, 7:21am »		 Quote Quote  Modify Modify
Gaawwd, I loathe hackers, spoofers, etc.!   Grin Undecided
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2039
Re: MSIE URLSpoof
« Reply #4 on: Jan 19th, 2004, 12:03pm »		 Quote Quote  Modify Modify
These are some steps I live by. I forgo the increased functionality and check things out like these corrective measures.
 
MSKBA = Microsoft Knowledge Base Article
 
Quote:
Other steps that you can take
 
Although these actions do not help you to identify a deceptive (spoofed) Web site or URL, they can help limit the damage from a successful attack from a spoofed Web site or a malicious hyperlink. However, they restrict e-mail messages and Web sites in the Internet zone from running scripts, ActiveX Controls, and other potentially damaging content.
 
Use your Web content zones to help prevent Web sites that are in the Internet zone from running scripts, running ActiveX Controls, or running other damaging content on your computer. First, set your Internet zone security level to High in Internet Explorer. To do so, follow these steps:
On the Tools menu, click Internet Options.
Click the Security tab, click Internet, and then click Default level.
Move the slider to High, and then click OK.
Next, add the URLs for Web sites that you trust to the Trusted Sites zone. To do so, follow these steps:
 
On the Tools menu, click Internet Options.
Click the Security tab.
Click Trusted sites.
Click Sites.
If the sites that you want to add do not require server verification, click to clear the Require server verification (https: ) for all sites in this zone check box.
Type the address of the Web site you want to add to the Trusted sites list.
Click Add.
Repeat steps 6 and 7 for each Web site that you want to add.
Click OK two times.
 
 
Read E-mail Messages in Plain Text.  
 
For Outlook 2002 and Outlook 2003:
 
MSKBA-307594 OL2002: Users Can Read Nonsecure E-mail as Plain Text
 
MSKBA-831607 How to View All E-Mail Messages in Plain Text Format in Outlook 2003
 
For Outlook Express 6:  
MSKBA-291387 OLEXP: Using Virus Protection Features in Outlook Express 6  
 
By reading e-mail in plain text, you can see the full URL of any hyperlink and examine the address that Internet Explorer will use. The following are some of the characters that may appear in a URL that could lead to a spoofed Web site:  
%00
%01
@
For example, a URL of the following form will open http://example.com, but the URL that appears in the Address bar of Internet Explorer may show http://www.wingtiptoys.com:  
http://www.wingtiptoys.com%01@example.com
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2913
Re: MSIE URLSpoof
« Reply #5 on: Jan 19th, 2004, 4:48pm »		 Quote Quote  Modify Modify
Sensible stuff - setting Internet Zone to basically deny everything, then using that zone for your email settings is a good way.
 
Catch the next article over at CCSP - I discuss phishing and cover spoofed links - there's even a spot of 'homework' for readers to try out... ever the teacher!! Grin
« Last Edit: Jan 19th, 2004, 4:49pm by Ian » IP Logged
... but crap arrives pretty much straight away.
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register