Re: IE URL obfuscation

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 12/11/03

  • Next message: Christian Mansfield: "Re: IE URL obfuscation"
    Date:         Thu, 11 Dec 2003 17:29:26 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Sigh, I could scream!!!

    If one more person tells me my message over-estimated the savvy of the consumer I'll have to take a week off to cool down.

    If you carefully read what I did say, you will ultimately realize I said this;

    1. This new bug only affects 1 possible method a consumer could use to determine the validity of the URL prior to clicking on it. That 1 possible method is hovering the mouse over the URL to see if the display component equals the underlying href.

    2. This new bug only affects 2 possible methods a consumer could determine if the site they're at is the site they thought they were going to. Either looking at the address bar, or far less likely, looking at the status bar as they go there.

    Now consider, please, the average consumer. My point is that they are already being scammed via normal HTML-based email and websites. Before they're likely to follow a link, its likely they either don't care at all about security, or, they have been convinced by the social engineering used on them.

    How many people like those above are going to hover their mouse over a URL? How many bother to look at the address bar after they get somewhere? Not you, the average consumer I mean. Once they've clicked on a link, they're looking at the content, period.

    To try and put it into numbers, not using this bug;

    a) I send out a phishing scam email to 1,000,000 people.
    b) The social engineering convinces 1,000 (that's good SE!)
    c) 1 person (.0001%) hovers their mouse over the URL first and since it doesn't match, deletes the email.
    d) 999 click on the link.
    e) 2 (.0002%) people realize the address bar doesn't match what they thought it should and close their browser.
    f) 997 successfully attacked.

    Using the bug I get 1,000 people.

    Now is anyone arguing that the percentages in (c) and (f) are way out of whack? Do you really believe there's a lot more people that hover their mouse or look at the address bar and know whether it says the right thing?? I say no. And because I believe there's so few consumers who would, then the additional risk of this bug is extremely minimal (another .0003% are caught.) If we consider it from the perspective of delivering a trojan via a different IE vulnerability, only .0001% more are caught.

    Maybe our alarm is coming from the perspective of what we tell people to do to protect themselves. Someone sent me a message explaining that some bigname site told visitors to check the address bar on the web page they are logging into (sorry, I can't put my hand on the message right now to give proper credit). The implication being that this bigname site trusts the contents of the address bar, and now those contents can't be trusted.

    This is only true as long as the page that's supposed to be trusted doesn't contain a "/" in it. IOWs, you can only spoof the top level URL of a site, not pages within it. All links on a spoofed site are going to point to the same, www.spoofedsite.crap, nothing can point to www.spoofedsite.crap/about.htm or anything like it.

    I'm not saying this will prevent people from being duped, but for those sites that do tell people to look at the address bar, as long as the address contains a "/" then their users will, if they read it, see a difference.

    Anyway, let's have some arguments about how many more people are going to be duped than were already ready to be duped.

    Cheers,
    Russ - NTBugtraq Editor

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Christian Mansfield: "Re: IE URL obfuscation"

    Relevant Pages

    • Re: Far Cry 2 - Act 3 "meet reuben at the marina bar" BUG
      ... Go to the wepon shop first and buy a weapon, then the BAR opens for business. ... the aka for this bug is the "88% bug" because it occurs when the ... Ubisoft support sees this as a 'hint' issue and will not respond. ... UFLL missions first, then the APR, in each ACT. ...
      (comp.sys.ibm.pc.games.action)
    • Re: Interesting Notepad BUG
      ... "tune wedgies"... ... Today I found a BUG in Notepad, I have checked it in XP as well ... Wrap" option and now enable Status Bar again. ... saved file to check this BUG) and put your cursor to any line, ...
      (microsoft.public.windowsxp.general)
    • Re: Interesting Notepad BUG
      ... Today I found a BUG in Notepad, I have checked it in XP as well ... Wrap" option and now enable Status Bar again. ... saved file to check this BUG) and put your cursor to any line, ... Windows VISTA => Windows VISTA ...
      (microsoft.public.windowsxp.general)
    • Re: How to create broken-up (or interrupted) task
      ... No, not a bug. ... on the calculation tab regarding calculations for late or early ... the part of the task that I marked as x% complete (the black bar ... result looks different --> see second attachment. ...
      (microsoft.public.project)
    • Re: Interesting Notepad BUG
      ... Today I found a BUG in Notepad, I have checked it in XP as well ... Wrap" option and now enable Status Bar again. ... saved file to check this BUG) and put your cursor to any line, ... Windows VISTA => Windows VISTA ...
      (microsoft.public.windowsxp.general)