Internet Explorer - Demo: Phishing with Frames
A browser should ensure that multiple concurrent Web pages are not able to manipulate each other. For instance, a Web page from the The H server must not manipulate windows or frames coming from Microsoft. By default, Internet Explorer does, however, allow such cross-domain access via frames and therefor allows "frame spoofing". In other browsers, this kind of cross domain access has been disabled.
Many Internet sites consist of frames. Often, a frame on the left side contains the navigation bar, while the content is displayed on the right side. If the name of such a frame is known (such as "navigation"), any foreign Web page can overwrite the content of this frame with its own Web page. For instance, an attacker may trick users into thinking they are on a trusted site and induce them to enter personal data.
Note: The following demos do not show security problems associated with the specific pages; rather, almost all pages using frames can be abused this way. Many providers have started to do without frames, particular providers of security-relevant services, such as online banking.
- The following link opens the home page of the Dedicated Cheque and Plastic Crime Unit (DCPCU). Once the page has been loaded, you go back to this window to continue with step 2: Open
- Now, click on the following link, which loads a harmless HTML page into the browser window with the DCPU page: Insert
If the demo works, your browser window with the DCPU page will now display a The H page with a red header: "You are vulnerable". Other frames remain unchanged, and the address bar of your browser still displays the URL of the original DCPU page. If the DCPU page remains completely unchanged and the The H page is shown in its own separate window, the demo did not work.
It would not require much work to automate both steps to make it practically impossible for the user to notice this manipulation. It would then suffice to click on a Web page or a link in a mail to go to the manipulated page. Such cross-frame phishing attacks also work with encrypted sites. If such a frame is smuggled in from a valid https page, not even a warning is displayed.
If you go to the security settings of Internet Explorer to disable the option "Navigate subframes across different domains", the browser will prevent such frame spoofing.
One basic protection against such manipulation would be to open only one window during security-relevant activities such as online banking. Also, do not use links, but enter the URL manually or select the page via your favourites lists/bookmarks.
Web site developers should stop using frames so that their sites are not vulnerable to such manipulation.