Every Browser But IE Suseptible to Phishing Flaw

[hevnsnt]

Link

If you are not using IE as your browser, check this out.

Paypal
Paypal (secure)

Try those links out. This is PayPal, an internet banking si - whoops. They're actually spoofed IDN's. Any browser except MSIE is suseptible, making you a prime phishing target. BE CAREFUL. I warned you.

If you want some more information on IDN, click here.

Firefox has a workaround: Open a blank browser, and type about:config into the address bar. Look for "Network.enableIDN", then change it to false.

**UPDATE: Even if you follow the instructions to set this to FALSE, it will reset itself after each browser restart, meaning you would have to this property each time you loaded the browser. It will still show it set as FALSE, but will follow the links to the spoffed pages anyway.**

Opera IS vulnerable, but claiming it's a correctly implemented standard, and doesn't plan to "fix" anything.

 

[Injury]

Snap.


Mozilla/Firefox/Opera/Etc: 34252345 IE: 1

I'll still use IE though.

 

[imported_Phil]

Yikes :shocked:

[Edit] Thanks for the heads-up.

 

[BigJ]

So is it really a properly implemented standard, or is Opera just covering it's arse?

 

[xospec1alk]

atot effect?

 

[nakedfrog]

So... if I'm foolish enough to click on one of those "PayPal" email links telling me I added a credit card to my account (when I know I didn't) then I have something to worry about.

 

[jagec]

Originally posted by: hevnsnt
Link

If you are not using IE as your browser, check this out.

Paypal
Paypal (secure)

Try those links out. This is PayPal, an internet banking si - whoops. They're actually spoofed IDN's. Any browser except MSIE is suseptible, making you a prime phishing target. BE CAREFUL. I warned you.

If you want some more information on IDN, click here.

Firefox has a workaround: Open a blank browser, and type about:config into the address bar. Look for "Network.enableIDN", then change it to false.

**UPDATE: Even if you follow the instructions to set this to FALSE, it will reset itself after each browser restart, meaning you would have to this property each time you loaded the browser. It will still show it set as FALSE, but will follow the links to the spoffed pages anyway.**

Opera IS vulnerable, but claiming it's a correctly implemented standard, and doesn't plan to "fix" anything.

wierd, it's the "a" that breaks it. If I copy/paste your address from above, and re-type just the "a", it goes to the real site. What's the trick? You forgot to put the IDN link up.

 

[quakefiend420]

Originally posted by: xospec1alk
atot effect?

i ws just wondering that...or if ie just blocked the pages

 

[Chadder007]

Whats the trick??

 

[hevnsnt]

Originally posted by: Chadder007
Whats the trick??

read this
http://www.shmoo.com/idn/homograph.txt

 

[DougK62]

Am I the only one that noticed the goofed up URL right away?

 

[Bootprint]

Originally posted by: DougK62
Am I the only one that noticed the goofed up URL right away?

I only see the problem if I cut and paste the URL into notepad, otherwise IE just shows it as www.paypal.com

 

[hevnsnt]

Originally posted by: DougK62
Am I the only one that noticed the goofed up URL right away?

You are using IE arent you?

 

[glugglug]

From what I can tell it is a font issue.

The first 'a' in paypal in those URLs is not an a, however it looks like one in most fonts. Try this: copy URL to clipboard from one of those links, paste it in word. In a normal font with the full unicode character set, it looks like it says paypal. Change to a font which does not support the Unicode chars (Why is there a redundant a in the standard charset?!) and you will see that it does not. Took a while to find a font with the char missing, Trebuchet MS is good for illustrating the effect on this system. So really what the browsers need to add is some kind of indication when non-ascii chars are used in URLs, like highlighting or bolding those chars or something.

BTW IE is NOT IMMUNE, it just happens to use a font without the full character set on most systems. The link looks normal in IE on my work machine because of fonts/language packs installed.

 

[DougK62]

Originally posted by: hevnsnt

Originally posted by: DougK62
Am I the only one that noticed the goofed up URL right away?

You are using IE arent you?

No - I'm using Mozilla 1.2.

The first 'a' in www.paypal.com is clearly not right.

 

[mchammer187]

i see the goofed URL and am using firefox .9.3

 

[BigSmooth]

Originally posted by: glugglug
From what I can tell it is a font issue.

The first 'a' in paypal in those URLs is not an a, however it looks like one in most fonts. Try this: copy URL to clipboard from one of those links, paste it in word. In a normal font with the full unicode character set, it looks like it says paypal. Change to a font which does not support the Unicode chars (Why is there a redundant a in the standard charset?!) and you will see that it does not. Took a while to find a font with the char missing, Trebuchet MS is good for illustrating the effect on this system. So really what the browsers need to add is some kind of indication when non-ascii chars are used in URLs, like highlighting or bolding those chars or something.

The second "a" in the character set is actually a Cyrillic small letter "a" which happens to look almost (or exactly, depending on the font) the same as a Latin small letter "a". If you look at the character map, there are lots of these "double" characters that could be used to do this (as mentioned by the IDN link).

 

[ragazzo]

Heh. Now that you've mentioned it, I can see a slight difference between the 2 chars

 

[Attrox]

That's why if you get this kind of e-mail, delete it and then type the URL to go to the destination site yourself.

 

[Babbles]

I am using Opera 7.54 and both of the links looks like it is "paypal."

I don't know too much about this entire phising thing so somebody please enlighten clueless me. What is "phising" and what can happen if one is to click the link with a non-MSIE browser?

 

[jagec]

Originally posted by: Babbles
I am using Opera 7.54 and both of the links looks like it is "paypal."

I don't know too much about this entire phising thing so somebody please enlighten clueless me. What is "phising" and what can happen if one is to click the link with a non-MSIE browser?

"Phishing" is where you send out a (hopefully legit-looking, many times not) spam email with a fake link in there, which directs people to a legit-looking website. The people put their information into that website, and you build a database of peoples' credit cards, social security numbers, names, addresses, etc.

The gullible will click the link in your email and fall for it. The smart will realize that they don't even HAVE an account with (say) Wells Fargo, and won't click. I think most real banks, at least, make a point of NOT putting links in their emails, to force you to type it manually.

 

[SludgeFactory]

Thanks hevnsnt, this is a good thing to know

Babbles, emails purportedly from Paypal and Ebay are very frequently used in phishing schemes. Be on the lookout for those 2 especially.

I still can't really see the difference in the two "a" characters. I blame my blurry 6 year old CRT

 

[Babbles]

Originally posted by: jagec

Originally posted by: Babbles
I am using Opera 7.54 and both of the links looks like it is "paypal."

I don't know too much about this entire phising thing so somebody please enlighten clueless me. What is "phising" and what can happen if one is to click the link with a non-MSIE browser?

"Phishing" is where you send out a (hopefully legit-looking, many times not) spam email with a fake link in there, which directs people to a legit-looking website. The people put their information into that website, and you build a database of peoples' credit cards, social security numbers, names, addresses, etc.

The gullible will click the link in your email and fall for it. The smart will realize that they don't even HAVE an account with (say) Wells Fargo, and won't click. I think most real banks, at least, make a point of NOT putting links in their emails, to force you to type it manually.

Ah, okay I see. So clicking the link in of itself is not a bad thing, but rather it can be spoofed to look like a legit website. Guess I should know what that is being that I keep on getting an email from SouthTrust Bank asking me to check my account. The link goes to some page where I need to enter my account and PIN number. Which is all well and good except I never even heard of SouthTrust Bank much less have an acccount with them.
For kicks I did go to the real website of that bank and the spoofed website looks pretty good, almost dead on in comparison from a visual aspect.

I guess I knew what phising was, I just did not know there was a term for it; the actual word "phising."

 

[Armitage]

Originally posted by: Attrox
That's why if you get this kind of e-mail, delete it and then type the URL to go to the destination site yourself.

Yep - that's what I tell everybody. NEVER trust an address you get in email.

 

[Armitage]

From slashdot:

The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.

IDN = International Domain Name