Re: IE URL obfuscation
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Thu, 11 Dec 2003 17:29:26 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Sigh, I could scream!!!
If one more person tells me my message over-estimated the savvy of the consumer I'll have to take a week off to cool down.
If you carefully read what I did say, you will ultimately realize I said this;
1. This new bug only affects 1 possible method a consumer could use to determine the validity of the URL prior to clicking on it. That 1 possible method is hovering the mouse over the URL to see if the display component equals the underlying href.
2. This new bug only affects 2 possible methods a consumer could determine if the site they're at is the site they thought they were going to. Either looking at the address bar, or far less likely, looking at the status bar as they go there.
Now consider, please, the average consumer. My point is that they are already being scammed via normal HTML-based email and websites. Before they're likely to follow a link, its likely they either don't care at all about security, or, they have been convinced by the social engineering used on them.
How many people like those above are going to hover their mouse over a URL? How many bother to look at the address bar after they get somewhere? Not you, the average consumer I mean. Once they've clicked on a link, they're looking at the content, period.
To try and put it into numbers, not using this bug;
a) I send out a phishing scam email to 1,000,000 people.
b) The social engineering convinces 1,000 (that's good SE!)
c) 1 person (.0001%) hovers their mouse over the URL first and since it doesn't match, deletes the email.
d) 999 click on the link.
e) 2 (.0002%) people realize the address bar doesn't match what they thought it should and close their browser.
f) 997 successfully attacked.
Using the bug I get 1,000 people.
Now is anyone arguing that the percentages in (c) and (f) are way out of whack? Do you really believe there's a lot more people that hover their mouse or look at the address bar and know whether it says the right thing?? I say no. And because I believe there's so few consumers who would, then the additional risk of this bug is extremely minimal (another .0003% are caught.) If we consider it from the perspective of delivering a trojan via a different IE vulnerability, only .0001% more are caught.
Maybe our alarm is coming from the perspective of what we tell people to do to protect themselves. Someone sent me a message explaining that some bigname site told visitors to check the address bar on the web page they are logging into (sorry, I can't put my hand on the message right now to give proper credit). The implication being that this bigname site trusts the contents of the address bar, and now those contents can't be trusted.
This is only true as long as the page that's supposed to be trusted doesn't contain a "/" in it. IOWs, you can only spoof the top level URL of a site, not pages within it. All links on a spoofed site are going to point to the same, www.spoofedsite.crap, nothing can point to www.spoofedsite.crap/about.htm or anything like it.
I'm not saying this will prevent people from being duped, but for those sites that do tell people to look at the address bar, as long as the address contains a "/" then their users will, if they read it, see a difference.
Anyway, let's have some arguments about how many more people are going to be duped than were already ready to be duped.
Russ - NTBugtraq Editor
---- NTBugtraq subscribers save $103.00 off the TICSA exam by using promo code "NT1003" when registering to take the TICSA exam at www.2test.com. Prove to your employer and peers that you have the knowledge and abilities to be an active stakeholder in today's enterprise security. Become TICSA certified www.trusecure.com/ticsa. Promotion expires 12/31/03 and cannot be used in combination with other offers. ----