Is IE emptying your bank account?

Internet Explorer is broken, and the bad guys know it. As you type, criminal hackers could be recording your bank login and password information.
Written by Robert Vamosi, Contributor
Robert Vamosi
Internet Explorer is broken, and the bad guys know it. As you type, criminal hackers could be recording your bank login and password information. Robert offers some tips for staying safe online.
Microsoft's Internet Explorer is broken, and criminal hackers (crackers) know it. Within the last few weeks, these evildoers have staged several well-orchestrated Internet Explorer attacks designed to steal your banking and credit card information. The result has been that you can't trust Internet Explorer -- how will you know if a secure site is truly safe? Here's a look at what's wrong with Internet Explorer and what you can do to keep your data under lock and key.

At issue are not one, but several flaws within Internet Explorer, some well known and some not so well known (so-called zero day attacks). All of the serious attacks also use tiny apps called keystroke-logging Trojan horses, which capture IDs, passwords, and credit card information as you type them. And all of the attacks so far happen without users even suspecting there's anything wrong. Note: Only Windows users are at risk; Mac and Linux folks, you're safe for now.

Two weeks ago, elements of the Russian mafia coordinated a brilliant attack that turned the Internet into millions of points of digital infection. First, the Russians (or their hired crackers) managed to secure malicious code on vulnerable Microsoft IIS Web servers worldwide. Then, using flaws within Internet Explorer, malicious JavaScript automatically downloaded whenever a user visited an infected site (which included popular search and auction destinations). That JavaScript in turn downloaded a keystroke-logging Trojan horse from another server located in Russia. The attack ended once the Russian server was taken offline.

Last week, a second attack targeted accounts with major financial institutions, such as Citibank and Deutsche Bank. Spread by pop-up advertising, which in turn loaded malicious code, this attack uses a Browser Helper Object (BHO), a type of file that developers frequently use to monitor Internet Explorer sessions. In this case, whenever a user visits a banking site, just before the encrypted secure socket layer (SSL) session starts between user and bank, the Trojan records all the POST and GET information before it is encrypted. The Trojan then starts its own encrypted session, sending your personal banking data to a remote server.

How could this happen? Blame monopolies. When Microsoft launched its browser war against Netscape a few years ago, we all lost. By encouraging Web site developers to "optimise for Internet Explorer," Microsoft killed off the competition by offering Web surfers flashing images and pretty sounds. Internet Explorer now holds a commanding 95 percent of the Internet browser market. Because of that market dominance, however, Internet Explorer engineers have been lax about browser innovations and battening down its hatches.

In the wake of these serious security events, the software giant posted instructions to secure your Internet Explorer.

In a nutshell, the instructions say to increase the security settings within Internet Explorer, turn off JavaScript and ActiveX, and start reading e-mail in plain text (because Outlook uses Internet Explorer to render HTML). In other words, we should turn off everything Web developers have been told to optimise for. No more flashing images, no more cute sounds, just bland old, flat Web pages. And if you do follow these instructions, many Web sites you use every day simply will not work properly. Thanks a lot, Microsoft.

Here's the best part: there's one flaw that Microsoft fixed six years ago in Internet Explorer 3.0 and 4.0 that has resurfaced in versions 5.01, 5.5, and 6.0. And there are a few new bugaboos within Internet Explorer that even the software giant in Redmond, Washington, didn't know existed, despite its own efforts, a.k.a. Microsoft's Trustworthy Computing campaign. To its credit, Microsoft has since posted a patch for one of the new Internet Explorer flaws, but it waited a week to do so, and this patch still doesn't resolve all the problems.

The crisis with Internet Explorer is so bad that the U.S. Computer Emergency Response Team (US-CERT) now recommends that you move away from Microsoft Internet Explorer. You have Netscape 7.1, Mozilla 1.7, and Opera 7.5 to choose from, however, there is much excitement surrounding Mozilla's new Firefox browser, currently in beta, if only because Firefox reunites several original Netscape developers.

Short of bailing from Internet Explorer, you can also stop remote-access Trojan horses with a good personal desktop firewall such as ZoneAlarm or those included within Norton Internet Security and McAfee Internet Security. Finally, several of the banking Trojans can be removed with apps such as Spybot Search and Destroy and Ad-aware, as well as your favourite antivirus app. If you aren't currently checking for spyware, you should be. And if you aren't running antivirus protection, well, now's a really good time, don't you think?

What do you think? Do these security problems make you rethink your use of IE? Or have you already switched? TalkBack to me below!

Editorial standards