Internet Explorer 7 anti-phishing tech: Work-in-Progress

Internet Explorer 7 anti-phishing tech: Work-in-Progress

Summary: I've finally gotten around to playing with Internet Explorer 7; the version of IE that will be included in the next version of Windows (Windows Vista) and that will ship separately as a download for users of Windows XP SP2 at the same time that Vista ships.  IE7 is currently in beta.

TOPICS: Browser

ie7logo.jpgI've finally gotten around to playing with Internet Explorer 7; the version of IE that will be included in the next version of Windows (Windows Vista) and that will ship separately as a download for users of Windows XP SP2 at the same time that Vista ships.  IE7 is currently in beta.  I've been working with IE 7.0.5296 Beta 2 (theversion that Microsoft execs recently handed to me on a USB key).

As browsers go, IE7 takes security to a whole 'nother level.  Other browsers that are currently in circulation will need to learn a thing or two from the lengths that IE7 goes to protect us users from our worst enemies: ourselves. This is a good thing because it's not worms or viruses that get us into the most trouble. It's social engineering -- the art of getting us to lower our guard and do something we shouldn't do. 

Social engineering is the weapon of choice for phishers.  Much the same way interrogators fish for clues with suspected criminals hoping to snare an off-guard suspect in their traps, phishers  fish in that big ocean of email recipients with authentic looking emails hoping to snare an unsuspecting user in their traps.  A typical email is dressed up to look like it's from eBay or Bank of America and goes out to millions of Internet users in hopes that some of them are actually eBay or Bank of America customers and in even greater hopes that some of those will click on a link in the email that, instead of going to eBay or Bank of America's real site, takes them to a very convincing imposter.  The user is invariably presented with a login screen that when used, sends the users credentials directly to the bad guys (usually in another country) who now have what they need to conduct transactions on your behalf.   Given how any email that portends to be from your bank could easily be a phisher, the rise of phishing has ruined Internet email as a means for financial institutions to stay in touch with their customers.

The good news is, to keep users from getting snared in a phisher's trap, IE7 looks for the tell-tale signs that an email is suspicious. The bad news is that in needs to do more to flag the potential danger to end users.  Again, IE7 is in beta.  So, by the time it ships, some of the problems I'm documenting here might very well have been addressed by the folks at Microsoft.  My test starts innocently enough.  In my email, I receive what looks to be a question from an eBay user.  If I'm an eBay user (I am) and I'm currently running some auctions (I'm not), receiving such an email would not be out of the ordinary.  Since I'm not running any auctions, I intuit that the message is from a phisher and decide to use it as a test of IE7's new antiphishing technologies.  If you're an eBay user, the email (see partial screenshot, below) looks quite authentic. 


It says it's from (not shown) and many of the graphics it displays are actually pulled directly from eBay's web site.  Some of the links even go to eBay's Web site. Except for the most actionable one; the one that says "Respond Now."  Upon inspection of the source code behind the link, it clearly doesn't go to eBay's Web site.  It goes here (if you check it out, DO NOT try logging with your eBay credentials); a Web page that looks exactly like eBay's login in screen but is an imposter.

Since IE7 is set to be my default Web browser, clicking on the link starts IE7 up and it's at this point that IE7 begins the process of examining the email for any sort of suspicious coding that could signal that it's from a phisher.  Before any warning comes up though, a progress indicator shows that the page is 100 percent loaded into the display.  It should probably be the other way around.  As can be seen from the next partial screen shot (below) the Web address is tinted yellow and next to it is a warning that says "Suspicious Web site." 


Personally, I'm not one to pay much attention to what's going on up in the browsers tool bar.  So, if the warning isn't flashing or in neon red, there's a good chance my attention isn't going to be drawn to it. My personal feeling is that this warning is too subtle and that it will escape the attention of most users who aren't accustomed to looking for warnings near the top of their browser's window.  Especially ones in yellowredCERTerror.jpg pastel.  Interestingly enough, whereas this was a real threat and the background color behind the warning was a soft yellow (not even a harsh one), the color that IE7 used to warn of a certificate error that posed no threat to me was in red (see right).  


Clicking on the warning results in the pop-up window that I've pictured to the left.  It flags the Web site as being a suspicious one and says that IE7's phishing filter thinks it might be a phishing site and gives you a link to report it if it is one.  But this pop-up does not appear automatically.  You have to click on the warning that's in IE7's toolbar area which, again, is far too subtle.  Personally, I'd like to see it blink slowly in red, then rapidly, then not at all (in succession).  This is sort of like the warning saying "I want your attention.   HEY YOU I WANT YOUR ATTENTION!!!  OK, you apparently don't care about me so I'll go away."  But there's also another problem with the warning.  As shown in the screen shot below, the user might never get to see it if the dimensions of their browser window are set to a smallie7warningdisappears.jpg enough size.  As the browser window is resized, IE7 has to decide at what point to stop showing certain elements.  As can be seen in the screen shot, it continues to show the search box (I have Google selected as my default search engine).  But the warning box has completely vanished.  Given that security is far more important than my search box, it should probably be the other way around. 

As a last reminder, my comments refer to a beta version of IE7.  At that time this blog was written, IE7 had not yet been released to manufacturing and there's a chance that some of the suggestions I've made have (a) been suggested by others and (b) will be addressed prior to the official release of IE7.

Topic: Browser

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • evil is out there !

    What exactly should other browsers learn from IE7 secure features? I am confused. That e-mail can be misused for fishing? what has that to do with browsing the net?

    "This might be a phishing site" ?

    What about "the internet is inherently insecure"
    or "evil people outhere are trying to scam you!"

    How about a more general warning "don't forget to lock your house and internet access when you go out there!"

    what is new about this?!
    come on :)
    • When technology.....

      ...can help you know and assess the degree of risk, I think it's better to have it than to not. Somewhere along the line, the put cameras in the back of buses so bus drivers could see what's behind them. Are you saying that a little extra protection isn't worth it, even though the technology has matured to the point that we can economically have that protection? I disagree. I'd rather have the warning than not. I like visual cues that what I'm about to do is more dangerous than some other thing that I do even though I'm saavy enough to know better in most situations. And if it saves one person from making a really bad mistake, then the technology is worth it.
    • It is all very logical...

      There is limited wealth.
      One has only what one takes.
      If others have wealth, then they took it.
      Others who have more than we must have taken more than their fair share.
      If we want to have wealth, then we must take it back.
      How can we take it back?
      We can go phishing.
      Phishing is not wrong, because it is only taking back what was taken unfairly.
      Phishing is safe because we are in a different country.
      Phishing is good, because we are taking wealth from the evil.
      Phishing is easy because others supply their security information willingly.
      Phishing is fun, for we can use our computers and purloined software.
      Phishing is heuristic, for we learn technical skills while doing it.
      Phishing is profitable, for it brings us wealth.
      Phishing is right, because we phish are doing good to the poor.
  • As malware authors evolve, so does MS

    Security in other home OSs, while arguably better than Windows in protecting the user from outside threats, does little if anything to protect the user from themselves. While I am a fan of Linux (I have 3 computers running it at home), it follows the Unix mentality that users have computer common sense and that security threats are based on technical vulnerabilities, not social engineering. Times have changed since Gore invented the Internet and home OSs currently do little to protect the average user from the biggest vulnerability out there: the average user. XP's Security Center is a good first step, IE7's anti-phishing appears to be a good second step, steps that no other OS seems to be prepared to take. It isn't hard to see why companies like Apple are so uninterested in spending the money to protect users from themselves when they have a legion of OSX users who are so willing to apologize away any vulnerability. [i]If it hasn't hurt me yet, it can't possibly hurt me in the future.[/i]

    While most malware is OS specific, leading to the inevitable argument that this is protecting you against something that is a Microsoft only problem, phishing is OS agnostic. This is one area where having no marketshare will not protect you.

    As long as you are still able to use other browsers (I personally prefer Firefox over IE), I see IE7's security feature as being only a good thing.
    • Police action lags behind fraudulant sites

      We do not want to send his squads into foreign countries any more than inside our own, to take out phishers.
      However, foreign governments benignly smile at their phishers bringing billions of US/Can$ into their national economies with no reciprocation.
      Do North American governments consider the leaking of their wealth to be serious enough for diplomatic action (aside from any concern for citizens' earnings being stolen)?
  • Types of Phishing Filter warnings

    There are two types of Phishing Filter warnings. One, the yellow one that you got, is for "suspicious" sites -- ones that Microsoft doesn't have marked as definitely phishing sites, but ones that, based on heuristics, are relatively likely to be. In other words, no human at MS has flagged it as of yet.

    The second type is those that have been flagged by a human at MS as definitely phishing sites. There is a much stronger warning for these sites: the bar is red, and navigation to the page is actually blocked. See the screenshot at:
    • Too easy to click on wrong choice

      Notice that the two options are near enough one to another that careless users such as I may likely click on the wrong onw.
      [ ] Click here to close this webpage.
      [ ] Continue to this website (not recommended).
      Much like the "Spam" and "Delete" icons in Thunderbird that has sent many of my friends' addresses into my spam filter list.
  • So far their filters are very poorly implemented

    They are going to anger a great deal of web masters out there. We are a MS partner. Microsoft sends us customers from their web site to our site to signup for our services. When you go to the signup page where we request identification information, IE7 gives a Phishing warning. The warning says that this web site may be harmful and not to submit any information to it. Hopefully they are going to get a grip on this before final release, but right now it is far too cautious. In addition, our competitors could have all their employees visit our forms and submit a Phishing warning and thus result in our web site being blocked.

    Implementing Phishing filtering is fine if the company being spoofed reports a page as a Phishing page, but otherwise for them to just use filtering technology to determine filtering is ridiculous. Name, address, email and phone are what we request on our form they marked as phishing. How many forms out there request that info?

    So far, MS Phishing is not ready for primetime and they need to rethink the logic behind it.
  • 1 vote for the yellow, the yellow color is GOOD!

    I'm 57yrs All my life yellow has been assosiated with DANGER. Put the pink back where it belongs.
  • Agree With Story Author

    Not in all cases does yellow mean danger. There are yellow carnations, roses, marigolds and other flowers, whats the danger there???

    I too think the warning shold be in anothe location or at a minimum blinking
  • Firefox Users

    The yellow address bar could definitely prove confusing for users of Mozilla Firefox because in Firefox, secure SSL encrypted sites show up in the address bar as yellow. What happens when a IE 7 user goes to a phishing site, sees the yellow warning but thinks "Oh good, it's a secure site"!