Threat Advisory Alert Issued for New Phishing Attack

This new phishing threat replaces the "Address" bar at the top of a Web browser with a working fake, allowing the phisher to display a completely fraudulent Web address URL, while taking the consumer to the phisher's spoofed site. These sites typically ask for social security numbers, passwords or ATM number and PIN, and are often indistinguishable from a real site.

This sophisticated new attack type does not make use of the MS Internet Explorer bug published last November, but extends the same visual effect to multiple browser platforms. It does so by automatically detecting the consumer's browser, and applying a custom JavaScript that replaces the look and feel of the Web address bar with an appropriately designed working fake.

Phishing attacks use the Internet to perpetrate identity theft and credit card fraud. Phishers use spam techniques to send out millions of "spoofed" email messages that hijack the brands of well-known banks, e-commerce companies, and government agencies in an attempt to get consumers to visit fraudulent websites. Email "spoofing" works because the message is not digitally signed, leaving no way to verify that the "From:" address shown is really the source of the email. The goal of these fraudulent sites is to convince recipients to disclose personal financial information such as credit card numbers, online account passwords, and social security numbers.

How It Works

A consumer receives a forged email that pretends to be from a bank. The email claims that the recipient must verify their email address, and includes a web link. When clicked, the user's browser is opened, and they are taken to a Web page with an email verification form. The web link is HTML and the displayed text appears to link to the real bank's site.

However, the URL does not take the user to the bank's website. Instead, it takes him to a fraudster's site. The fraudulent site instantly detects the user's browser, and runs custom JavaScript code that removes the real address bar and replaces it with a fake address bar at the top of the browser window. The copy is exact. It has the "Address" field, it displays a URL web address that appears to be a secure link to the real bank (e.g. "https://"), and it has the "Go" button on the right hand side.

In almost all respects, the web address and web page appear to be real. You can even type in the bank's web address directly into the fake Address bar. This is a live piece of JavaScript code, not a static fake Address bar image.

Even more dangerous, if you right click the page in order to view the HTML source code, the source code of the phishing Java applet is not displayed. The real source code to the phishing Address bar can only be seen by using the top menu of your browser to view the source code.

There are only one or two clues that the web page is not valid:

-- Despite the fact that the address bar shows HTTPS in the Address bar, there is no SSL padlock present in the lower corner of the browser.

-- When the user types a different URL into this address bar, the browser title does not change from the fake "Welcome" message.

"This is one of the most sophisticated phishing attacks that we have yet detected, and has serious security implications for consumers," said Dave Jevans, Senior Vice President with Tumbleweed Communications and Chairman of the Anti-Phishing Working Group. "Because the fake Address bar remains installed even after you leave the phisher's site, there is a possibility that a phisher could use this technique to secretly track every web site that you visit. Or even worse, a phisher could potentially employ a 'man-in-the-middle' attack to see everything that you send or receive through your Web browser until you close it. We have already alerted Anti-Phishing Working Group members to this attack, and we will discuss possible technical solutions to this threat at our meeting on Monday in San Francisco."