POP UP, ACTUAL WEBSITE SCAM

http://news.bbc.co.uk/2/hi/technology/4085421.stm

Surfers need to be wary of phishing e-mails and other net dangers - Pop-up tricks

[beginning of article deleted]

Net security firm Secunia has discovered a way to use pop-up windows to fool even cautious users into thinking they are on an official site when in fact they are giving information to a phisher.

What happens is that a user clicks on a link in an e-mail or on a web page, and their browser opens up the real site, a bank or auction house, say.

But at the same time an invisible window onto a malicious site is opened. Then if the legitimate site opens a pop-up window, as many do, the malicious site is able to hijack it and write whatever it wants onto the screen.

This could be a link to another part of the malicious site or even a form asking for login details. I tried it myself, using the demonstration on Secunia's website, and it worked with both Firefox and Internet Explorer.

Perhaps the worst thing about this exploit is that it is not technically speaking a bug. Everything works as it is supposed to, and there are no program errors or sneaky viruses involved.

It is just that the way pop-ups are handled by browsers does not inform the user when another browser overwrites the content that has been written by the original site.

The programmer in me admires the exploit. It is, after all, a cool trick, a bit of prestidigitation that merits applause.

Unfortunately this particular sleight of hand will not be used to charm innocent children or entertain seaside crowds. Its target will be the legions of online shoppers, auction hounds and anyone who banks online.

Of course it is only effective because most pop-ups do not display the browser address bar so you cannot actually see which website is being visited, but there are millions of sites out there which would have to be changed in order to implement this.

A quick fix would be for the browser itself to refuse to hide the address bar - an inconvenience for many but some protection for the innocent, but that will take time to implement and would require every user to update their software, something that is notoriously difficult to achieve.

[rest of article deleted]

Hosted by www.Geocities.ws