APWG Threat Advisory Alert on Visual Spoofing

Anti-Phishing Working Group finally issued a Threat Advisory Alert on the problem I outlined and demonstrated in my Visual Spoofing post (via Payments News).  In my demo, I used a simple bitmap for the fake address bar because I didn't want to spend more than a few minutes on the demo.  A hacker with some talent and more time could create a fake address bar that behaves just like the real one which is what the advisory warns against.

The advisory mentioned that fake address bar could persist which is probably done by loading real websites in a frame under the address bar.  A properly written business web pages should be able to detect this and either refuse to load as a frame or 'popout' of the frame.

BTW, both of the 'clues' the advisory points to can be worked around by simulating overlapping windows visually to confuse the users.  So the advisory offers no real solutions against the threat.

Anyhow, I am glad they finally recognized the threat as "one of the most sophisticated phishing attacks that we have yet detected, and has serious security implications for consumers" although they haven't bothered to mention me nor my post.

Phishing through blogs

Meanwhile, Technorati still haven't responded to the threat outlined in my Cross-Site Scripting Network post despite the warnings I gave them through e-mail and blog comment.  The threat could lead to a storm of XSS-based phishing attacks using thousands of blogs.  I wrote the post because I felt the HTML fragment, used by Technorati to allow bloggers to claim their blogs, opens XSS vulnerability across claimed blogs if Technorati website is penetrated.  Considering the furious pace of change at websites like Technorati, I think the likelyness of penetration is high enough to make the threat real.

I will be posting in the future about how phishers might use blogs to lauch phishing attacks.  For now, I want to eliminate the threat I described above because the scale of attack in that threat scenario is impossible to ignore.


I have joined APWG and will be attending APWG meeting in San Francisco Monday.  They don't normally allow consultants to join, but some of their members are my clients so I got in.  Will post about the event on Tuesday unless APWG has a no blogging policy.