Microsoft issues fix to fool phishers, Sophos comments

February 03, 2004 Sophos Press Release

Security experts at Sophos, a world leader in protecting businesses against viruses and spam, have welcomed the news that Microsoft has acted to prevent a stream of recent email scams designed to steal online banking details.

Microsoft has issued a security patch which reportedly secures a vulnerability that had allowed scammers to "phish" for bank account details and confidential information by disguising the internet address of a fake website as that of legitimate online banks.

In recent months there have been a large number of reports of computer users receiving emails claiming to be from online banks with what seemed, on casual inspection, to be a link pointing to the bank's website. However, the link would really redirect users to a bogus website set up by the scammer. The bogus website would typically mimic that of the genuine site, and ask the user to confirm their account details, passwords, and other personal details.

"It's good to see that Microsoft has patched against this important security problem, before more online bank accounts were drained by fraudsters," said Graham Cluley, senior technology consultant at Sophos. "All computer users should ensure their systems are properly protected with the latest patches."

Recently bogus emails have claimed to come from a number of banks including Nationwide, NatWest, Barclays, Westpac and Halifax.

Computer users and system administrators can read more about the security patch on Microsoft's website.

"Home users might consider checking out the services Microsoft offers at windowsupdate.microsoft.com, which can scan your home PC for security vulnerabilities and suggest which critical patches need to be installed," continued Cluley.

The UK National Hi-Tech Crime Unit has said it has stepped up its investigations of scams, but that there is a risk prosecutions could be hampered by inadequate laws in the countries where some of the scammers operate.