Interestingly, this one seems to work with many browsers (the site now seems
down, so I can't test it with firefox).
Here's details about the technique used:
http://www.antiphishing.org/phishing_ar ... -31-04.htm
What behaviour would one see with firefox and this method?
would this phish work with firefox?
-
MonkeeSage
- Posts: 1011
- Joined: December 20th, 2002, 8:15 pm
From the description, no it would not work -- it may load up the CitiBank page in the iframe, but since Gecko has very strong XSSS (Cross-Site Scripting Security), none of the script operations would work -- they wouldn't be able to get any of the data from the iframe in the parent frame, they would just cause Gecko to throw uncaught exceptions that page X is not allowed to access data from page Y. 
Shelumi`El
Jordan
S.D.G
Shelumi`El
Jordan
S.D.G
"[M]en are usually satisfied with bad argument only when their convictions rest on other grounds." --John Oman
-
tomandlu
- Posts: 14
- Joined: February 18th, 2004, 7:10 am
Hmm,
Is any cross-site stuff involved?
My understanding is that the page is completely fake (i.e. it's not citibank's page; it's the phisher's page).
The trick here is emulating the address/title-bar.
Apart from anything else, it would seem to be a good arguement for skinning or some other non-default change to your toolbar (since, presumably, the emulation will emulate the 'standard' arrangement of the target browser's toolbar).
Even if the phishers were willing to consider every possible skin/customisation that a user might make, afaik they wouldn't be able get that info. from the browser anyway...
Needless to say, lusers will be the target since a) they won't have skinned/customised their browser and b) they are more vulnerable to phishing... given that, I can't help but wonder why they bothered to code for anything except IE*
* this isn't really a dig at IE - just an acknowledgement that the majority use it - and probably 100% of lusers...
BTW what would be a more politically-correct term for lusers? I, for example, wouldn't know how to fix my car if it broke down. I'm not a novice, since that implies I have an intention to learn how to fix it (which I don't).
Is any cross-site stuff involved?
My understanding is that the page is completely fake (i.e. it's not citibank's page; it's the phisher's page).
The trick here is emulating the address/title-bar.
Apart from anything else, it would seem to be a good arguement for skinning or some other non-default change to your toolbar (since, presumably, the emulation will emulate the 'standard' arrangement of the target browser's toolbar).
Even if the phishers were willing to consider every possible skin/customisation that a user might make, afaik they wouldn't be able get that info. from the browser anyway...
Needless to say, lusers will be the target since a) they won't have skinned/customised their browser and b) they are more vulnerable to phishing... given that, I can't help but wonder why they bothered to code for anything except IE*
* this isn't really a dig at IE - just an acknowledgement that the majority use it - and probably 100% of lusers...
BTW what would be a more politically-correct term for lusers? I, for example, wouldn't know how to fix my car if it broke down. I'm not a novice, since that implies I have an intention to learn how to fix it (which I don't).
-
old momokatte
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
XSS doesn't come into play until the visitor enters an address into the fake address bar. By that time, they may have already fallen for the scam. The CitiBank site that appears in the frame isn't real, it's the harvester site.
Would this work in Mozilla or Firefox? Maybe. The spoof site's window would have to be opened using JavaScript, though, in order for the real address bar to be hidden. On my system, that would be prevented from occurring thanks to some handy user.js entries:
// Prevent sites from disabling features of new windows
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.directories", true);
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
Would this work in Mozilla or Firefox? Maybe. The spoof site's window would have to be opened using JavaScript, though, in order for the real address bar to be hidden. On my system, that would be prevented from occurring thanks to some handy user.js entries:
// Prevent sites from disabling features of new windows
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.directories", true);
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_open_feature.toolbar", true);
-
MonkeeSage
- Posts: 1011
- Joined: December 20th, 2002, 8:15 pm
They are spoofing the addressbar (which is another reason why it won't work in Gecko, you can only disalbe window features like the URL bar when opening a page with window.open, you can't do it in a window that already has it enabled -- javascript:void(window.locationbar.visible = false); -- doesn't work), but they have to load the CitiBank page in a frame below the spoofed addressbar, and the frame domain would be checked against the page hosting it, and since the frame is from a different domain, it would trigger XSSS and the host page wouldn't be able to access any of the elements in the frame page or it's cookies &c.. So they wouldn't be able to get at your password, pin number &c, they would just generate errors.
[Edit: momokatte said "The CitiBank site that appears in the frame isn't real, it's the harvester site. " - OH! I get it, duh...sorry I'm slow sometimes...]
Shelumi`El
Jordan
S.D.G
[Edit: momokatte said "The CitiBank site that appears in the frame isn't real, it's the harvester site. " - OH! I get it, duh...sorry I'm slow sometimes...]
Shelumi`El
Jordan
S.D.G
"[M]en are usually satisfied with bad argument only when their convictions rest on other grounds." --John Oman
-
SimmonsJ2K
- Posts: 920
- Joined: February 3rd, 2004, 2:45 pm
- Location: Michigan
- Contact: