Random Bytes...by Ross Rader :: New MSIE Patch Frustrates Scammers

Main Page » Random Bytes » Code

Previous:	[Fwd: Copyright infringment?]
Next:	Bill not the right answer

by Ross at 11:05AM (EST) on February 4, 2004 | Permanent Link

Microsoft has released a security patch that solves one of the more vexing problems faced by internet merchants - URL spoofing. URL spoofing allows a scammer to easily deceive an internet user into thinking that the website that they are viewing is actually run by a reputable company. For example, here is a sample of the type of URL that scammers have been using -

http://scgi.ebay.com%7CSAW-CGI%7CeBayISAPI.dll:VerifyInformaton@55.205.181.19/
saw-cgi/?VerifyInformation

(yes I munged the URL, but I didn't purposely misspell the
first occurence of the word "Information"
in the URL, the scammer did that ;)

Unless you look closely and know what to look for, you can't really tell that this is a spoofed URL that directs you to visit a counterfeit website run by a scammer (usually for the purpose of fooling you into provide credit card or banking information).

Microsoft has finally taken action to prevent this type of deception from working inside of its Internet Explorer web browser.

"A security update is available that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894):

http(s)://username:password@server/resource.ext

...malicious users can use this URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of Internet Explorer."

I was hoping that MS and the other browser makers would go this route. The syntax is rarely handy and its potential for abuse is huge - scratch that, it is probably being abused more than its being properly used.

This goes a long way towards solving a number of problems that others have been trying to address in policy-space. (ie - ICANN Whois task forces and similar fora). Removing the technical capability removes the potential for abuse instead of just applying a bandaid at a policy level.

This is the way the internet is supposed to work.

Posted to:

Code

This work is licensed under a Creative Commons License.

No comments found.

Trackbacks

TrackBack URL:
http://www.byte.org/blog/_trackback/17895

Weblogs that reference this article:

Bill not the right answer
Weblog:	Random Bytes
Excerpt:	I'm really disappointed in Rick Wesson's testimony yesterday before the House Subcommittee on Courts, the Internet and Intellectual Property. Personally, I think his testimony missed the mark and painted an extremely narrow and inaccurat...
Posted:	Thu Feb 05 11:45:17 EST 2004

Wesson, IP Interests Completely Miss the Point
Weblog:	Random Bytes
Excerpt:	Making the same mistakes as intellectual property interests, Rick Wesson presumes that accurate whois data is the key to wiping the internet clean of bad actors and eliminating online fraud.Perhaps in some Pollyanna world where everyone wears rose-tint...
Posted:	Fri Feb 06 10:50:27 EST 2004