Internet Explorer 7 anti-phishing tech: Work-in-Progress
I've finally gotten around to playing with Internet Explorer 7; the version of IE that will be included in the next version of Windows (Windows Vista) and that will ship separately as a download for users of Windows XP SP2 at the same time that Vista ships. IE7 is currently in beta.
I've finally gotten around to playing with Internet Explorer 7; the version of IE that will be included in the next version of Windows (Windows Vista) and that will ship separately as a download for users of Windows XP SP2 at the same time that Vista ships. IE7 is currently in beta. I've been working with IE 7.0.5296 Beta 2 (theversion that Microsoft execs recently handed to me on a USB key).
As browsers go, IE7 takes security to a whole 'nother level. Other browsers that are currently in circulation will need to learn a thing or two from the lengths that IE7 goes to protect us users from our worst enemies: ourselves. This is a good thing because it's not worms or viruses that get us into the most trouble. It's social engineering -- the art of getting us to lower our guard and do something we shouldn't do.
Social engineering is the weapon of choice for phishers. Much the same way interrogators fish for clues with suspected criminals hoping to snare an off-guard suspect in their traps, phishers fish in that big ocean of email recipients with authentic looking emails hoping to snare an unsuspecting user in their traps. A typical email is dressed up to look like it's from eBay or Bank of America and goes out to millions of Internet users in hopes that some of them are actually eBay or Bank of America customers and in even greater hopes that some of those will click on a link in the email that, instead of going to eBay or Bank of America's real site, takes them to a very convincing imposter. The user is invariably presented with a login screen that when used, sends the users credentials directly to the bad guys (usually in another country) who now have what they need to conduct transactions on your behalf. Given how any email that portends to be from your bank could easily be a phisher, the rise of phishing has ruined Internet email as a means for financial institutions to stay in touch with their customers.
The good news is, to keep users from getting snared in a phisher's trap, IE7 looks for the tell-tale signs that an email is suspicious. The bad news is that in needs to do more to flag the potential danger to end users. Again, IE7 is in beta. So, by the time it ships, some of the problems I'm documenting here might very well have been addressed by the folks at Microsoft. My test starts innocently enough. In my email, I receive what looks to be a question from an eBay user. If I'm an eBay user (I am) and I'm currently running some auctions (I'm not), receiving such an email would not be out of the ordinary. Since I'm not running any auctions, I intuit that the message is from a phisher and decide to use it as a test of IE7's new antiphishing technologies. If you're an eBay user, the email (see partial screenshot, below) looks quite authentic.
It says it's from ebay.com (not shown) and many of the graphics it displays are actually pulled directly from eBay's web site. Some of the links even go to eBay's Web site. Except for the most actionable one; the one that says "Respond Now." Upon inspection of the source code behind the link, it clearly doesn't go to eBay's Web site. It goes here (if you check it out, DO NOT try logging with your eBay credentials); a Web page that looks exactly like eBay's login in screen but is an imposter.
Since IE7 is set to be my default Web browser, clicking on the link starts IE7 up and it's at this point that IE7 begins the process of examining the email for any sort of suspicious coding that could signal that it's from a phisher. Before any warning comes up though, a progress indicator shows that the page is 100 percent loaded into the display. It should probably be the other way around. As can be seen from the next partial screen shot (below) the Web address is tinted yellow and next to it is a warning that says "Suspicious Web site."
Personally, I'm not one to pay much attention to what's going on up in the browsers tool bar. So, if the warning isn't flashing or in neon red, there's a good chance my attention isn't going to be drawn to it. My personal feeling is that this warning is too subtle and that it will escape the attention of most users who aren't accustomed to looking for warnings near the top of their browser's window. Especially ones in yellow pastel. Interestingly enough, whereas this was a real threat and the background color behind the warning was a soft yellow (not even a harsh one), the color that IE7 used to warn of a certificate error that posed no threat to me was in red (see right).
Clicking on the warning results in the pop-up window that I've pictured to the left. It flags the Web site as being a suspicious one and says that IE7's phishing filter thinks it might be a phishing site and gives you a link to report it if it is one. But this pop-up does not appear automatically. You have to click on the warning that's in IE7's toolbar area which, again, is far too subtle. Personally, I'd like to see it blink slowly in red, then rapidly, then not at all (in succession). This is sort of like the warning saying "I want your attention. HEY YOU I WANT YOUR ATTENTION!!! OK, you apparently don't care about me so I'll go away." But there's also another problem with the warning. As shown in the screen shot below, the user might never get to see it if the dimensions of their browser window are set to a small enough size. As the browser window is resized, IE7 has to decide at what point to stop showing certain elements. As can be seen in the screen shot, it continues to show the search box (I have Google selected as my default search engine). But the warning box has completely vanished. Given that security is far more important than my search box, it should probably be the other way around.
As a last reminder, my comments refer to a beta version of IE7. At that time this blog was written, IE7 had not yet been released to manufacturing and there's a chance that some of the suggestions I've made have (a) been suggested by others and (b) will be addressed prior to the official release of IE7.