Re: Interesting phish

[Fyodor <fyodor () insecure org>]

On Mon, Feb 12, 2007 at 02:16:23PM -0500, Tyler Krpata wrote:
> I had an interesting Bank of America phish pointed out to me...it gets
> around the "wrong URL" problem by popping up a new window which
> disables the location bar and creates a lookalike IE location bar of
> its own which contains a legit URL. This is something I had actually

IMHO, pages should not be able to hide your location bar, titlebar, or
menubar, prevent you from resizing/moving/scrolling windows, or
anything of the sort.  Firefox has for many years offered config
options to protect you from all this.  Unfortunately, some of them are
still not enabled by default.  CERT has a good description here of the
features (related to a similar spoofing exploit which used XUL):

http://www.kb.cert.org/vuls/id/262350

I don't know if IE offers this sort of protection.  The release notes
for IE7[1] at least note a way to prevent status bar spoofing (you
need to enable this explicitly though) and they finally decided that
web pages should not be able to secretly snarf all of the data in your
clipboard.

Cheers,
Fyodor
[1] http://msdn2.microsoft.com/en-us/ie/aa740486.aspx

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave