Users Face Malicious Web Attacks

[bongme]

hi

Attacks can happen without users opening an attachment

Saturday, 8 November, 2003

Computer users are used to being told to delete suspicious e-mail messages carrying attachments that could harbour a virus.

But net security experts are now predicting a growth in attacks that strike when people are simply browsing messages or the web.

These security threats exploit vulnerabilities in Microsoft's Internet Explorer (IE) browser.

Some take the form of fake online bank e-mail messages requesting secure information or that direct people to bogus sites.

Russ Cooper, chief scientist at security specialist TruSecure, said the risk of such attacks would grow as long as e-mail messages were written that used the HTML formatting more usually used to create webpages.

Hidden and dangerous

Mr Cooper said the threat from maliciously formed HTML was increasing and was being used to damage, disrupt or collect sensitive information about users and their computers.

"Looking at future threatscapes, we are expecting an increasing number of attacks which exploit vulnerabilities in IE," he said.

"These are exploited through HTML e-mails, and the nature of HTML is that it obscures what's underneath."

The malformed HTML can be in the body of an e-mail message or be unleashed when users go to websites which look legitimate but have been set with malicious intent.

E-mail messages bearing HTML can be anything from graphic intensive company newsletters to links that entice people to websites.

Because the malicious code is not in an attachment, there is very little the average computer user can do unless they have the latest e-mail programs which block scripts or they examine e-mail coding.

Mr Cooper said HTML viruses, such as Qhost, were becoming more common.

Qhost used a loophole in Microsoft's browser that granted them the ability to plant their own code on a victim's computer.

When users went to certain search sites this allowed a pop-up ad to run underneath their main browser window, and set off a flurry of pop-up ads as well as installing programs onto it.

"If I sent you an e-mail with a link to a website in it, and you click on the link, I could have used the exploit that Qhost used to install anything on your computer," said Mr Cooper.

"Depending on what e-mail program you were using, I may have been able to do that without you even clicking on the link."

For Mr Cooper Qhost marks a significant shift from viruses that cause system failures and inconvenience.

"In this case, they were trying to make money off you through ads, which is not what viruses normally do."

Graham Cluley, Sophos security analyst, thinks although these kinds of attacks are a threat they can be defended against by making sure your copy of Internet Explorer is updated.

"Anti-spam companies are also increasingly treating HTML e-mails as suspicious" he said, "and legitimate e-mail marketers are beginning to see the backlash and are working against HTML."

But even though browser flaws are fixable with downloadable patches, virus writers were constantly finding different methods to attack, making the patching job harder, said Mr Cooper.

Big fakes

Other maliciously formed HTML attacks have targeted customers of online banks.

In these scams, e-mails are sent to customers asking them to go to the bank's website to verify passwords and other confidential information.

The e-mails were fake and the website was a replica, but customers would not know that unless they actually examined the code behind the plausible looking message and webpage.

"This is going to occur more frequently," warns Mr Cooper.

"As more people have accounts online, there are more opportunities for someone to pretend to be an entity and collect information from you," says Mr Cooper.

But those behind the scams do not know what online bank customers use, said Mr Cluley, who advises people to ignore e-mails that purport to be from them and phone your bank instead.

By adding your online bank to your browser favourites ensure you are always going to the legitimate website.

"But we get so many HTML e-mails from people we know and do want, that to say 'if it's HTML based then I am going to delete' it is not realistic," says Mr Cooper.

"Microsoft continue running around chasing their tails in the hope that they can keep HTML e-mail secure enough, but we think that is going to be harder to do in the future."

Bongme