Loading ...
Sorry, an error occurred while loading the content.

URL SPOOFING

Expand Messages
  • Judith Rempel
    Judii s introduction: Apologies for the somewhat technical nature of this e-mail. I feel the message is important enought that it needs to be widely
    Message 1 of 1 , Dec 19, 2003
    • 0 Attachment
      Judii's introduction:

      Apologies for the somewhat technical nature of this e-mail. I feel the
      message is important enought that it needs to be widely distributed, not
      just to those who are curious about technical things.

      Please read this article (and the NetSquirrel one noted in the body of the
      message) and know that urls in HTML-FORMATTED e-mail messages and webpages
      (all webpages are html-formatted; even pdf files can have html-formatting in
      them) may be spoofed.

      The identified problem affects all users of Microsoft Outlook or Internet
      Explorer. It affects PCs and MACs (although Macs have a slight clue when
      things are going wrong).

      The article and the NetSquirrel page that it points to are effective
      warnings, and show the risk, but I don't think explain how this happens.
      They simply say that you should retype the urls in such messages/webpages
      directly into the location bar of your browser instead of clicking on the
      link. At the bottom of this e-mail I'll show you how it's done - if you're
      interested (article appears between dashed lines and my comments appear
      after that. (note: links in this e-mail cannot be spoofed ones becuase its
      coming to you as plain text - no html formatting).

      And, while the information pretty much says we're fools if we're using
      Microsoft products, he does have hope that this 'bug' will be eliminated by
      a major January 14 release of Microsoft product upgrades.

      Now follows Patrick Douglas Crispin's TourBus e-nesletter's commentary on
      this problem between dashed lines, followed by more comments from me.

      --------------------
      If you use Internet Explorer, Microsoft Outlook Express, or Microsoft
      Outlook, you're vulnerable to something called "URL Spoofing." Is
      this earth-shattering? No. Should you lose sleep over it? No.
      Should you at least know a little about it in order to protect your
      personal information should something strange happen? ABSOLUTELY!

      According to Microsoft,

      a malicious user could create a link to a deceptive (spoofed) Web
      site that displays the address, or URL, to a legitimate Web site
      in the Status bar, Address bar, and Title bar.

      Why is this a bad thing? Well, InformationWeek warns that

      This flaw would make it appear to Internet users that they're
      visiting a banking Web site, for example, when that site is
      actually a front for fraudsters attempting to collect sensitive
      financial information...

      How can you tell if you're vulnerable? Just hop on over to

      http://netsquirrel.com/spoof/

      and click on the microsoft.com link on that page. If Microsoft's
      website loads in your web browser, move along. There's nothing to see
      here.

      However, if the page that loads isn't Microsoft's but rather eBay's,
      you're completely vulnerable. And remember, this vulnerability
      doesn't just affect Internet Explorer, it also affects your copies of
      Microsoft Outlook and/or Outlook Express.

      Now for the REALLY bad news: There's no way to fix this problem. Yet.
      Should you panic? As I said, no! But, until Microsoft finds a fix,
      you should take the following precautions:

      1. DON'T TRUST HYPERLINKS IN HTML-FORMATTED EMAIL MESSAGES
      (emails that display images and hyperlinks and look very much
      like web pages) even if those email messages are from your
      friends or family. This is especially true for hyperlinks in
      email messages from Amazon, AOL, eBay, PayPal, your bank, your
      credit card company, or any other company you normally do
      business with. If any web site, financial company, or
      commercial entity sends you an email asking you to click on a
      hyperlink in that email to update your account information, DO
      NOT CLICK ON THAT LINK. Because of Internet Explorer's URL
      spoofing vulnerability, you simply cannot trust hyperlinks in
      HTML-formatted emails to point to the correct URL.

      2. BE SUSPICIOUS OF HYPERLINKS ON WEB PAGES YOU HAVE NEVER
      VISITED BEFORE. To be completely honest, the chance of you
      running into a spoofed URL on a web page is pretty slim, and
      the chance is all but zero on the big .com sites you visit
      every day. More likely than not, the criminals will be
      spoofing URLs in email messages, not on Web pages. But, if
      you are at a web page you have never visited before, exercise
      a little caution. If something feels wrong, leave.

      3. THE BEST WAY TO AVOID BEING HIJACKED BY A SPOOFED URL IS TO
      MANUALLY TYPE THE URL USING INTERNET EXPLORER'S ADDRESS BAR.
      Remember, the spoof only affects hyperlinks in email messages
      and web pages, not addresses you manually key in to your
      Internet Explorer address bar. So, to be really safe, if you
      need to access your account information at Amazon, AOL, eBay,
      PayPal, your bank or financial institution, your credit card
      company, or any other company you normally do business with,
      manually enter the URL.

      Some will also argue that this URL spoofing vulnerability is a perfect
      reason to abandon Windows/Internet Explorer/eating with utensils.
      That’s for you to decide. However, since my email inbox will explode
      if I don’t say this, the smarter and better looking people long ago
      abandoned Internet Explorer in favor of Mozilla, Safari, and Opera
      (among others.) These smarter and better looking people look upon
      Internet Explorer users with abject contempt, but they will happily
      welcome you back into the smart and pretty club once you regain your
      senses and adopt a different web browser and/or operating system.

      By the way, does this URL spoof actually affect Mac and *nix users?
      Yes and no. If you click on the Microsoft link on
      http://www.netsquirrel.com/, you'll most likely be taken to eBay but
      the URL in your address bar will look funky. That’s good. It’s
      supposed to look funky. What’s different in Internet Explorer is that
      the spoofed URL *DOESN’T* look funky at all. And that’s bad.

      Finally, Broadband Reports has done the best job of covering this
      vulnerability. You can find their latest update at

      http://www.dslreports.com/shownews/36402

      My guess is that Microsoft will patch this vulnerability when they
      release their next batch of critical updates on January 14th. But I
      could be wrong. Until the patch is released, exercise a little
      caution and you should be fine.

      ----------------

      Judii's comments:

      When someone puts a link into an html document (email message or webpage),
      they encase the url in a code such as:
      <a href="http://www.microsoft.com">Microsoft Website</a> or <a
      href="http://www.microsoft.com">www.microsoft.com</a> More generically, the
      link looks like:

      <a href=" x "> y </a>

      where x is replaced by the url and
      y is replaced by the clickable text

      In the malicious html, the url has some extra characters tacked onto it:
      %00@.../

      so instead of correctly sendig you to http://www.microsoft.com
      the url is sending you to: http://www.microsoft.com%00@.../

      I guess the way to interpret this computer code for humans is:

      "When someone clicks on this link, make it look like the link will go to
      microsoft.com, but really go to the ebay.com address."

      What's the harm?
      Well if the 'incorrect' url is designed in such a way that you THINK you've
      gone to a legitimate site, and the site LOOKS exactly as you'd predict the
      real site would look like, you might give them information or money that you
      intend for the real url.

      Appropriate Action?
      Well, I don't think I'm going to stop clicking on links in e-mails, but when
      they are html-formatted and say they're going to take me to a site where I
      need to divulge a userid/password, security code, bank account info,
      personal address, credit card information, OR ACT ON ADVICE, I will ALWAYS
      type the address identified and NOT click on a link that might take me to a
      spoofed site.


      In Kinship,
      Judith Rempel
      judith@...



      http://www.afhs.ab.ca
    Your message has been successfully submitted and would be delivered to recipients shortly.