Anti-Phishing Working Group
   
 
 
Home

Phishing Archive

Report Phishing

Events

APWG News

Resources

Membership

APWG Worksite

Contact Us

APWG Sponsors:

 APWG THREAT ADVISORY ALERT
17-Dec-2004

Internet Explorer Vulnerability in ActiveX Control Enables XSS Attack
Enables Fake Sites with Perfect Counterfeit URLs and SSL Certificate Dialogue-box Reports

Description
Secunia is reporting a vulnerability in IE6 that enables scammers to launch a phishing attack against PCs - even those loaded with the latest security updated version of Windows, Service Pack 2. The Web browser flaw allows fraudsters to create a hard-to-spot spoofed Web site, according to an advisory from Secunia. The URL in the address bar can be faked; the SSL signature padlock certificate can be faked. Phishers can also hijack cookies from any Web site, the company said.

The vulnerability is caused due to an error in the DHTML Edit ActiveX control when handling the "execScript()" function in certain situations. This can be exploited to execute arbitrary script code in a user's browser session in context of an arbitrary site, according to the advisory published on Secunia's website.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/internet_explorer_cross-site_scripting_vulnerability_test/
Exploitation Scenario and Analysis
So far, no phishing attack campaigns have been reported exploiting this technical exposure in IE6. The deployment scenario it would follow is clear, however. A consumer receives a forged email that pretends to be from a bank, e-tailer or payment processor with an embedded link. The email offers some enticement or rationale for calling the consumer to a forged website coopting the victim brandholders' brand and marques. When the HTML web link is clicked, the user's browser is opened, and they are taken to the fraudster's Web page that appears identical to the real brandholder's site.

The fraudulent site detects the user's browser, and runs custom Java script that removes the real address bar and replaces it with a fake address bar at the top of the browser window and fakes the SSL signature, making the "security" padlock appear in the bottom frame of the browser as it is supposed to at SSL authenticated sites.

The attack potential is ominous, given that even consumers who are savvy and energetic in vetting the websites they visit can be fooled when they perform the technical due diligence exercises of inspecting the Address bar (for the proper domain name, URL and the https:// protocol marker) and interrogating the digital certificate for the site.

The URL can be written to most any URL address the spoofer desires. To even the most calloused eye, it appears perfect. Check the "Page Properties" tab and the bogus URL is confirmed. Check the digital certificate from teh Page Properties dialogue and that, too, checks out confirming the authenticity of the bogus web page. Click on the trusty padlock and that produces a dialogue box that confirms the certificate's validity of the spoofed page and its association with the brandholder's identity.

What's more, the HTML source looks authentic with all the domain citations for links and resources pointing back, in Secunia's example, to paypal.com.
 
Implications
This is one of the most serious security exposures we have inspected and it has serious implications for consumers. APWG is pleased that the legitimate security community has isolated this vulnerability before it has been marshaled for a phishing attack. The most serious implication, given the features of this exploitation scenario, is that consumers will be confronted with phishing emails leading them to associated counterfeit websites that are, even for tech-savvy web denizens, indistinguishable from the real McCoy. In other words, consumers with even the best security habits could be rendered helpless to defend themselves against deceptions based on the security fault Secunia has uncovered in IE6.
 
Solutions
  • Set security level to high for the "Internet" zone (disable ActiveX support).

    On Windows XP SP2 it is possible to disable the vulnerable ActiveX Control in "Tools" -> "Manage Add-Ons...".
 
Credit
Secunia (www.secunia.com) is credited with this discovery and analysis of this security exposure.
 
Legal Notices
Copyright (c) 2004 Anti-Phishing Working Group

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of the Anti-Phishing Working Group. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email info@antiphishing.org for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

 
  About Us | Contact Us