MORE INFORMATION
This article discusses steps you can take to help protect
yourself from spoofed Web sites. To summarize, these steps are:
- Install the MS04-004 Cumulative Security Update for
Internet Explorer (832894).
- Verify that there is a lock icon in the lower right Status
bar and verify the name of the server that provides the page that you are
viewing before you type any personal or sensitive information.
- Do not click any hyperlinks that you do not trust. Type
them in the Address bar yourself.
Install the MS04-004 Cumulative Security Update for Internet Explorer (832894)
For additional information about this security update, visit the
following Microsoft Web site:
This article also discusses steps that will help you identify
spoofed Web sites and malicious hyperlinks.
Note You do not have to install this update if you have already
installed Microsoft Windows XP Service Pack 2. The update is included in this
service pack.
Things that you can do to help protect yourself from spoofed Web sites
Make sure that the Web site uses Secure Sockets Layer/Transport
Layer Security (SSL/TLS) and check the name of the server before you type any
sensitive information.
SSL/TLS is typically used to help protect your
information as it travels across the Internet by encrypting it. However, it
also serves to prove that you are sending data to the correct server. By
checking the name on the digital certificate user for SSL/TLS, you can verify
the name of the server that provides the page that you are viewing. To do this,
verify that the lock icon appears in the lower right corner of the Internet
Explorer window.
Note If the status bar is not enabled, the lock will not appear. To
enable the Status bar, click
View, and then click to select
Status Bar.
To verify the name of the server that
appears on the digital certificate, double-click the lock icon, and then check
the name that appears next to
Issued to. If the Web site does
not use SSL/TLS, do not send any personal or sensitive information to the site.
If the name that appears next to
Issued to is different from
the name of the site that you thought provides the page that you are viewing,
close the browser to leave the site. For additional information about how to do
this, visit the following Microsoft Web site:
Things that you can do to help protect yourself from malicious hyperlinks
The most effective step that you can take to help protect yourself
from malicious hyperlinks is not to click them. Rather, type the URL of your
intended destination in the address bar yourself. By manually typing the URL in
the address bar, you can verify the information that Internet Explorer uses to
access the destination Web site. To do so, type the URL in the Address bar, and
then press ENTER.
Note The Address bar does not appear if it is not enabled. To enable
the Address bar, click
View, point to
Toolbars, and then click to select
Address
Bar.
Some things that you can do to identify spoofed sites when the Web site is not using SSL/TLS
The most effective step that you can take to verify the name of
the site that provides the page that you are viewing is to verify the name on a
digital certificate using SSL/TLS. But if the site does not use SSL/TLS, you
cannot conclusively verify the name of the site that provides the page that you
are viewing. However, there are some things that you can do that, in some
cases, may help you identify spoofed sites.
Caution The following information provides general guidelines based on
well-known attacks. Because attacks change constantly, malicious users could
create spoofed Web sites by using means other than those that are described
here. To help protect yourself, type personal or sensitive information on a Web
site only if you have verified the name on the digital certificate. Also, if
you have any reason to suspect the authenticity of a site, leave it by closing
the browser window immediately. Frequently, the quickest way to close the
browser window is to press ALT+F4.
Try to identify the URL of the current Web page
To try to identify the URL of the current Web site, use the
following methods.
Use Jscript commands to try to identify the actual URL for the current Web site
Use a JScript command in Internet Explorer. In the Address
bar, type the following command, and then press ENTER:
javascript:alert("Actual URL address: " + location.protocol + "//" + location.hostname + "/");
Caution Use caution when you type script directly in the Address bar.
Script that you type directly in the Address bar can take the same actions on
the local system as the user who is currently logged on.
The JScript
message box shows the actual URL Web address for the Web site that you are
visiting.
You can also copy the following JScript code and paste it in
the Address bar for a more verbose description of the Web site URL:
javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");
Compare the actual URL with the URL in the Address
bar. If they do not match, the Web site is likely misrepresenting itself. In
this case, you may want to close Internet Explorer.
Use the Internet Explorer History pane to try to identify the actual URL for the current Web site
In the scenarios that Microsoft has tested, you can also use
the History Explorer Bar in Internet Explorer to help identify the URL of a Web
page. On the
View menu, point to
Explorer
Bar, and then click
History. Compare the URL in the
Address bar with the URL that appears in the History bar. If they do not match,
the Web site is likely misrepresenting itself and you may want to close
Internet Explorer.
Paste the URL in the Address bar of a new instance of Internet Explorer
You can paste the URL in the Address bar of a new instance of
Internet Explorer. By doing so, you may be able to verify the information that
Internet Explorer will use to access the destination Web site. In the scenarios
that Microsoft has tested, you can copy the URL that appears in the Address bar
and paste it in the address bar of a new session of Internet Explorer to verify
the information Internet Explorer will actually use to access the destination
Web site. This process is similar to the step that is discussed in "Things that
you can do to help protect yourself from spoofed Web sites" section earlier in
this article.
Caution If you perform this action on some sites, such as on e-commerce
sites, the action can potentially cause your current session to be lost. For
example, the contents of an online shopping cart may be lost, and you may have
to repopulate the cart.
To paste the URL in the Address bar of a new
instance of Internet Explorer, follow these steps:
- Select the text in the Address bar, right-click the text,
and then click Copy.
- Close Internet Explorer.
- Start Internet Explorer.
- Click in the Address bar, right-click, and then click
Paste.
- Press ENTER.
Some things that you can do to identify malicious hyperlinks The only way that you can verify the information that Internet
Explorer will use to access the destination Web site is by manually typing the
URL in the address bar. However, there are some things that you can do that, in
some cases, may help you identify a malicious hyperlink.
Caution The following information provides general guidelines based on
well-known attacks. Because attacks change constantly, malicious users could
create spoofed Web sites by using means other than those that are described
here. To help protect yourself, type personal or sensitive information on a Web
site only if you have verified the name on the digital certificate. Also, if
you have any reason to suspect the authenticity of a site, leave it by closing
the browser window immediately. Frequently, the quickest way to close the
browser window is to press ALT+F4.
Try to identify the URL that a hyperlink will use
To try to identify the URL that a hyperlink will use, follow
these steps:
- Right-click the link, and then click Copy
Shortcut.
- Click Start, and then click
Run.
- Type notepad, and then click
OK.
- On the Edit menu in Notepad, click
Paste.
By doing this, you can see the full URL for any hyperlink and
you can examine the address that Internet Explorer will use. The following list
shows some of the characters that may appear in a URL that could lead to a
spoofed Web site:
For example, a URL of the following form will open
http://example.com, but the URL in the Address bar or the Status bar in
Internet Explorer may appear as http://www.wingtiptoys.com:
http://www.wingtiptoys.com%01@example.com
Other steps that you can take Although these actions do not help you to identify a deceptive
(spoofed) Web site or URL, they can help limit the damage from a successful
attack from a spoofed Web site or a malicious hyperlink. However, they restrict
e-mail messages and Web sites in the Internet zone from running scripts,
ActiveX Controls, and other potentially damaging content.
- Use your Web content zones to help prevent Web sites that
are in the Internet zone from running scripts, running ActiveX Controls, or
running other damaging content on your computer. First, set your Internet zone
security level to High in Internet Explorer. To do so, follow
these steps:
- On the Tools menu, click
Internet Options.
- Click the Security tab, click
Internet, and then click Default
level.
- Move the slider to High, and then
click OK.
Next, add the URLs for Web sites that you trust to the
Trusted Sites zone. To do so, follow these steps:
- On the Tools menu, click
Internet Options.
- Click the Security tab.
- Click Trusted sites.
- Click Sites.
- If the sites that you want to add do not require server
verification, click to clear the Require server verification (https:)
for all sites in this zone check box.
- Type the address of the Web site you want to add to the
Trusted sites list.
- Click Add.
- Repeat steps 6 and 7 for each Web site that you want to
add.
- Click OK two times.
- Read E-mail Messages in Plain Text.
For Outlook
2002 and Outlook 2003:
307594 OL2002: Users Can Read Nonsecure E-mail as Plain Text
831607 How to View All E-Mail Messages in Plain Text Format in Outlook 2003
For Outlook Express 6:
291387 OLEXP: Using Virus Protection Features in Outlook Express 6
By reading e-mail in plain text, you can see the
full URL of any hyperlink and examine the address that Internet Explorer will
use. The following are some of the characters that may appear in a URL that
could lead to a spoofed Web site:
- For example, a URL of the following form will open
http://example.com, but the URL that appears in the Address bar of Internet
Explorer may show http://www.wingtiptoys.com:
http://www.wingtiptoys.com%01@example.com