As browsers go, IE7 takes security to a whole 'nother level. Other browsers that are currently in circulation will need to learn a thing or two from the lengths that IE7 goes to protect us users from our worst enemies: ourselves. This is a good thing because it's not worms or viruses that get us into the most trouble. It's social engineering -- the art of getting us to lower our guard and do something we shouldn't do.
Social engineering is the weapon of choice for phishers. Much the same way interrogators fish for clues with suspected criminals hoping to snare an off-guard suspect in their traps, phishers fish in that big ocean of email recipients with authentic looking emails hoping to snare an unsuspecting user in their traps. A typical email is dressed up to look like it's from eBay or Bank of America and goes out to millions of Internet users in hopes that some of them are actually eBay or Bank of America customers and in even greater hopes that some of those will click on a link in the email that, instead of going to eBay or Bank of America's real site, takes them to a very convincing imposter. The user is invariably presented with a login screen that when used, sends the users credentials directly to the bad guys (usually in another country) who now have what they need to conduct transactions on your behalf. Given how any email that portends to be from your bank could easily be a phisher, the rise of phishing has ruined Internet email as a means for financial institutions to stay in touch with their customers.
The good news is, to keep users from getting snared in a phisher's trap, IE7 looks for the tell-tale signs that an email is suspicious. The bad news is that in needs to do more to flag the potential danger to end users. Again, IE7 is in beta. So, by the time it ships, some of the problems I'm documenting here might very well have been addressed by the folks at Microsoft. My test starts innocently enough. In my email, I receive what looks to be a question from an eBay user. If I'm an eBay user (I am) and I'm currently running some auctions (I'm not), receiving such an email would not be out of the ordinary. Since I'm not running any auctions, I intuit that the message is from a phisher and decide to use it as a test of IE7's new antiphishing technologies. If you're an eBay user, the email (see partial screenshot, below) looks quite authentic.
It says it's from ebay.com (not shown) and many of the graphics it displays are actually pulled directly from eBay's web site. Some of the links even go to eBay's Web site. Except for the most actionable one; the one that says "Respond Now." Upon inspection of the source code behind the link, it clearly doesn't go to eBay's Web site. It goes here (if you check it out, DO NOT try logging with your eBay credentials); a Web page that looks exactly like eBay's login in screen but is an imposter.
Since IE7 is set to be my default Web browser, clicking on the link starts IE7 up and it's at this point that IE7 begins the process of examining the email for any sort of suspicious coding that could signal that it's from a phisher. Before any warning comes up though, a progress indicator shows that the page is 100 percent loaded into the display. It should probably be the other way around. As can be seen from the next partial screen shot (below) the Web address is tinted yellow and next to it is a warning that says "Suspicious Web site."
As a last reminder, my comments refer to a beta version of IE7. At that time this blog was written, IE7 had not yet been released to manufacturing and there's a chance that some of the suggestions I've made have (a) been suggested by others and (b) will be addressed prior to the official release of IE7.