Forwarded from: William Knowles <wk@private> http://www.washingtonpost.com/wp-dyn/articles/A13587-2004Jan13.html By Brian Krebs washingtonpost.com Staff Writer January 13, 2004 Microsoft Corp.'s latest round of software patches fails to fix a flaw in its Internet Explorer Web browser that makes it easier for online criminals to dupe people into disclosing their credit card numbers, passwords and other private data. Security experts were hoping that the patches, which were released today, would address the problem, but a Microsoft official said that the company is still devising a fix. The flaw lets criminals control the information displayed in the address bar of Explorer's browser window. It was most recently used to trick people into visiting a forged version of the Citibank Web site. Once there, users were prompted to share personal identification and credit card account numbers. Citibank today warned people to steer clear of an e-mail that links to the fake site. Security experts said that the flaw is easy to exploit. "I could teach any grade school kid how to do it," said Ken Dunham, malicious code manager for Reston, Va.-based security company iDefense. "I'm very concerned for the Internet public at large because this is one of the most dangerous trends we've seen emerge." The scheme is gaining notoriety after criminals sent e-mails earlier this month to customers of the PayPal online payment service and two British financial institutions that linked to fake Web sites. Last week, an e-mail scam tried to steal information from subscribers to Earthlink, the nation's third-largest Internet service provider. "From a consumer standpoint, this is probably the most severe security flaw I'm aware of right now," said Johannes Ullrich, chief technology officer for the SANS Institute's Internet Storm Center, which tracks online attacks. The false Web sites are the latest twist on "phishing scams," e-mails that lure customers into divulging their personal and financial information. Roughly 5 percent of people who are actual customers of a company targeted by the bogus e-mails fall for the scams, said David Jevans, senior vice president at Tumbleweed Communications in Redwood City, Calif. Jevans also serves as chairman of the Anti-Phishing Working Group, a group of banks and e-mail security companies that fight phishing schemes. "This is a highly profitable venture for people because there is 10 times more money to be made in phishing scams than through regular spamming," Jevans said. Experts called the Citibank ruse one of the most convincing. It began with a Web-based e-mail bearing the bank's trademark design, colors and logo. The message said that the company had suffered some problems with its data storage due to fraud activity, and urged customers to check their account balances. "Citibank notifies all it's [sic] customers in cases of high fraud or criminal activity and asks you to check your account's balances. If you suspect or have found any fraud activity on your account please let us know by logging in at the link below," it said. Security experts said that by failing to issue a patch to fix the problem, Microsoft is ignoring a serious problem. "I see this trick being used in the wild almost daily now, and they definitely need to do something about it," said Ullrich. Vincent Weafer, senior director of anti-virus company Symantec Security Response, said that the vulnerability also can be used to spread "backdoor Trojans," programs that allow hackers to control a victim's computer. Several viruses have used clever e-mails to fool consumers into downloading Trojans disguised as critical security updates from Microsoft. Using the Explorer flaw could trick users into believing they are visiting Microsoft.com while they are downloading a Trojan from a bogus site instead, Weafer said. "This vulnerability has all the ingredients needed for the propagation of malicious code, and I absolutely believe it will eventually be used for that purpose." A Microsoft spokesman said the company is working deliberately on developing a patch to make sure it does not disable other features in the Windows operating system or prevent users from visiting legitimate Web sites. "An incomplete patch can almost be worse than no patch at all," said Stephen Toulouse, security program manager with the Microsoft Security Response Center. Today's batch of security updates is the third Microsoft has released since it announced that it would issue them on a monthly basis. Microsoft chief executive Steve Ballmer announced the change in early October following criticism that the company is not doing enough to protect Windows users. Microsoft said it made the changes to help ease the burden on system administrators by making its patching process more predictable. The three patches Microsoft released today involve programs and vulnerabilities commonly found in corporate networks, not home user systems. One vulnerable component, however, a Web database management program known as "Microsoft Data Access Components" is shipped with nearly all versions of Windows. Users can check which updates they need to download at this Windows Update site. For a safe demonstration of the Microsoft IE vulnerability, click here (this will only work for Internet Explorer users). For information on how to protect yourself against phishing scams in general, check out the Federal Trade Commission Web site or anti-phishing.org. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jan 14 2004 - 06:43:30 PST