By Brian Livingston
The top story of the May 6 issue of Brian’s Buzz on Windows revealed that hackers had found a way to hijack the address bar of Internet Explorer, Netscape, and possibly other browsers. This exploit makes it appear that you are visiting one site — such as your online bank — whereas you are actually visiting a bogus site that just happens to look exactly like your online bank.
This technique is used to enhance the diabolical effectiveness of “phishing.” In the typical phishing attack, millions of e-mail messages are sent out by credit-card thieves. These messages tell the recipients that they need to re-enter their passwords or other personal information in order to “verify” their account at their bank, PayPal, eBay, or whatever.
The e-mail message contains the identical logo and overall appearance as your financial institution’s legitimate messages. If you click the link in the message, the Web site that opens in your browser looks good, too. But the site, in fact, is a “throw-away” page. It will be abandoned as soon as the thieves have collected thousands of credit-card numbers, passwords, or other information from innocent Web users.
Because the phishing e-mails and Web pages look exactly like those of legitimate companies, up to 5% of the recipients of these e-mails actually enter the data that’s requested, according to figures I quoted last issue from the Anti-Phishing Working Group.
My article on this subject generated far more comment than the average newsletter does. My readers are extremely offended (as am I) by the exploitation of naïve users that phishing represents. The recent exploit, which grabs browsers’ address bars to make the trick harder to detect, is seen to make phishing an even bigger threat to Internet users than it was originally.