Jeff Key

It works on my machine

Sponsors

My Job

My stuff

Old stuff

Useful Stuff

Your parents will never be safe: Visual Spoofing

If it's not one thing, it's another.. 

The latest thing the internet evildoers are doing to confuse your parents is called Visual Spoofing.  Instead of faking URLs, these smart guys are faking the IE toolbars.  Here's the deal:  They launch a new browser window with all of the toolbars invisible and replace them with, you guessed it, toolbar images that contain a legit URL, SSL lock and so on.

Article is here.  More info and an example of Visual Spoofing is on Don Park's blog.

It's worth mentioning that XP SP2 doesn't allow turning off the status bar, but apparently that alone isn't enough.  I hope the IE team gets wind of this and disallows any content from the Internet zone from being displayed in a browser without toolbars.

Posted: Feb 16 2004, 09:45 PM by jeffreykey | with 3 comment(s)
Filed under:

Comments

Jason Nadal said:

Nice title. The problem is, what advice do you give the noob?
1) "Don't download anything" -- bad since then people don't download critical updates and security problems
2) "Download anything" --I hope this doesn't need an explanation why it's bad
3) "Download selectively" aka "Don't download something that seems suspicious" -- right, but the average person isn't probably going to realize that the link to microsoft, saying it's from microsoft on a site that looks like microsoft isn't really microsoft.

This is a tough problem with no easy solutions.
# February 16, 2004 11:01 PM

Jerry Pisk said:

There is an easy solution - double click the lock and make sure the subject is who they claim to be. But then - it's easy to spoof that window too...

Of course if you're not using the default UI style you're ok.
# February 16, 2004 11:25 PM

Jeff Key said:

The easy solution is to tell people to just stop using the web; with new forms of trickery appearing weekly, it seems pointless to try to keep casual users up to speed.

Since that isn't the most practical solution, I stand by what I said in the original post: If new browser windows are created in script that hide toolbars and/or the status bar, don't allow any content from the Internet zone. Pretty simple.

Also, it would be great if MSFT built in a Verisign or BBB toolbar that showed either the registered owner (Verisign), or even better, the name in the BBB registry. The latter would be much harder to fake, AFAIK.
# February 17, 2004 9:09 AM