If at first you don't succeed; call it version 1.0
Sunday, 18 March 2007

One of the comments for my post on the phishing hole in IE7 was that the anti-phishing tool of the browser will detect scams exploiting this vulnerability, because it will check the external javascript reference (e.g. In my PoC - http://www.raffon.net/research/ms/ie/navcancl/phish.js). I’m not an IE7 anti-phishing  internals guru, so I’ve decided to test it.
I’ve searched for a list of live phishing sites and found millersmiles.co.uk anti-phishing service. From the list I chose http://pqpal.com/cgi-bin/index.htm, which is a paypal phishing page.  IE7’s anti-phishing tool reports this as a phishing website.
To be able to use this phishing URL in my test, I’ve created a local DNS entry for pqpal.com and set it to my local web server.
To verify that the anti-phishing tool actually works with this local DNS entry, I’ve loaded the phishing URL in IE7, and got the phishing warning page again.
Next, I’ve created index.htm file under cgi-bin directory on my local web server. This file simply contains: alert(“Hello from phishing site!”);
For the proof-of-concept, I’ve created a HTML file with a reference to the external script - http://pqpal.com/cgi-bin/index.htm. When I’ve loaded this HTML file in IE7,  I got the “Hello from phishing site!” alert box, and no indication that this comes from a phishing URL.
This means that IE7 anti-phishing tool DOES NOT block pages with external scripts that points to a flagged URL. So, unless Microsoft will flag the navcancl.htm local resource as a phishing page, I see no other way for IE7 anti-phishing tool to detect phishing scams exploiting this vulnerability.
Again, until this vulnerability is fixed by Microsoft, do not trust any link in the “Navigation Canceled” page.

The proof-of-concept HTML file can be found here.


Sunday, 18 March 2007 08:39:12 UTC | Comments [2] | Security#
Sunday, 18 March 2007 14:42:39 UTC
you didn't get a warning from http://pqpal.com/cgi-bin/index.htm because that site doesn't work i.e it's off line
Sunday, 18 March 2007 18:17:50 UTC
Yes, now the pqpal.com site is down. But, when I performed the test, it was up and running.
You can go and pickup from millersmiles.co.uk a different live phishing site, and test it yourself.
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.