Internet Explorer flaw leads to phishing attack

A newly uncovered vulnerability in Microsoft's Internet Explorer could allow attackers to launch a phishing attack. 

Security firm Secunia said that the flaw lies in the way Internet Explorer handles failed page loadings. When a page fails to load or cannot be found, a default HTML file known as 'navcancl.htm' is normally displayed. 

The page contains a message that the requested file could not be accessed along with a button that reloads the page.

The attack is carried out when a user visits an attacker's site. The site causes the 'navcancl' page to load and then manipulates the refresh button to redirect the user to a phishing site.

"While some may argue that such an attack requires too many steps, if you think about it, anyone who surfs the internet performs the same exact steps all the time: surf, fail to access the page, refresh," said Secunia technical writer Ina Ragragio.

The vulnerability is classified as 'less critical', the second of Secunia's five security alert levels.

A Microsoft spokesperson told vnunet.com that the company is investigating the reports. 

Microsoft and Secunia have not received any reports of attackers actively targeting the vulnerability.

See also:

UK banking fraud leaps 44 per cent

Chip and Pin protection pushing scams abroad  14 Mar 2007

Internet gives birth to 'Generation C'

End of the road for Generation X  12 Mar 2007

Storm Worm crashes February malware charts

Malware disguises itself to look like harmless code  02 Mar 2007

Phishing attack targets PartyPoker

Hackers raise the stakes  22 Feb 2007

Home wireless networks wide open

Half of all home wireless systems open to attack  20 Feb 2007

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!