OverviewEmail Security SecureTransport Validation Authority                          
OverviewIndustry Solutions Application Solutions                                                                     
OverviewPortal Login Consulting Training Contact                                           
Overview Find a Partner Apply Now Technology                         
 
 

Tumbleweed Press Releases

THREAT ADVISORY ALERT – New Phishing Attack

New Phishing Attack Replaces Web Browser Address Bar with Malicious JavaScript Fake

Redwood City, CA – March 31, 2004 – Tumbleweed® Communications Corp. (Nasdaq:TMWD - News) and the Anti-Phishing Working Group today have issued a Threat Advisory Alert regarding a dangerous new type of phishing attack. This new phishing threat replaces the "Address" bar at the top of a Web browser with a working fake, allowing the phisher to display a completely fraudulent Web address URL, while taking the consumer to the phisher's spoofed site. These sites typically ask for social security numbers, passwords or ATM number and PIN, and are often indistinguishable from a real site.

This sophisticated new attack type does not make use of the MS Internet Explorer bug published last November, but extends the same visual effect to multiple browser platforms. It does so by automatically detecting the consumer's browser, and applying a custom JavaScript that replaces the look and feel of the Web address bar with an appropriately designed working fake.

Phishing attacks use the Internet to perpetrate identity theft and credit card fraud. Phishers use spam techniques to send out millions of “spoofed” email messages that hijack the brands of well-known banks, e-commerce companies, and government agencies in an attempt to get consumers to visit fraudulent websites. Email "spoofing" works because the message is not digitally signed, leaving no way to verify that the 'From:' address shown is really the source of the email. The goal of these fraudulent sites is to convince recipients to disclose personal financial information such as credit card numbers, online account passwords, and social security numbers.

How It Works
A consumer receives a forged email that pretends to be from a bank. The email claims that the recipient must verify their email address, and includes a web link. When clicked, the user's browser is opened, and they are taken to a Web page with an email verification form. The web link is HTML and the displayed text appears to link to the real bank's site.

However, the URL does not take the user to the bank's website. Instead, it takes him to a fraudster's site. The fraudulent site instantly detects the user's browser, and runs custom JavaScript code that removes the real address bar and replaces it with a fake address bar at the top of the browser window. The copy is exact. It has the "Address" field, it displays a URL web address that appears to be a secure link to the real bank (e.g. "https://"), and it has the "Go" button on the right hand side.

In almost all respects, the web address and web page appear to be real. You can even type in the bank's web address directly into the fake Address bar. This is a live piece of JavaScript code, not a static fake Address bar image.

Even more dangerous, if you right click the page in order to view the HTML source code, the source code of the phishing Java applet is not displayed. The real source code to the phishing Address bar can only be seen by using the top menu of your browser to view the source code.

There are only one or two clues that the web page is not valid:

  • Despite the fact that the address bar shows HTTPS in the Address bar, there is no SSL padlock present in the lower corner of the browser
  • When the user types a different URL into this address bar, the browser title does not change from the fake 'Welcome' message.

“This is one of the most sophisticated phishing attacks that we have yet detected, and has serious security implications for consumers,” said Dave Jevans, Senior Vice President with Tumbleweed Communications and Chairman of the Anti-Phishing Working Group. “Because the fake Address bar remains installed even after you leave the phisher's site, there is a possibility that a phisher could use this technique to secretly track every web site that you visit. Or even worse, a phisher could potentially employ a "man-in-the-middle" attack to see everything that you send or receive through your Web browser until you close it. We have already alerted Anti-Phishing Working Group members to this attack, and we will discuss possible technical solutions to this threat at our meeting on Monday in San Francisco.”

About Phishing
Phishing attacks involve the mass distribution of "spoofed" email messages with return addresses, links, and branding which appear to come from banks, insurance agencies, retailers or credit card companies. These fraudulent messages are designed to fool the recipients into divulging personal data such as credit card numbers, bank account numbers and passwords, social security numbers, etc. Because these emails look "official," many recipients may respond to them, resulting in financial losses, identity theft, and other fraudulent activity. In addition to the direct cost of fraud and the lingering effects of identity theft for consumers, this growing application of criminal spam threatens the integrity of companies that do business online.

About the Anti-Phishing Working Group
The Anti-Phishing Working Group (APWG) is focused on eliminating the problem of phishing and email spoofing attacks, by developing and sharing information about the problem, and promoting the visibility and adoption of industry solutions. Membership in the group is open to qualified financial institutions, corporations, law enforcement agencies, public policy groups and solution vendors.

The Web site of the Anti-Phishing Working Group is www.antiphishing.org. It serves as a public and industry resource for information about the problem of phishing and email fraud, including identification and promotion of pragmatic technical solutions that can provide immediate protection and benefits against phishing attacks. The analysis, forensics, and archival of phishing attacks to the Web site are currently powered by Tumbleweed Communications' Message Protection Lab™.

About Tumbleweed Communications Corp.
Tumbleweed is a leading provider of secure Internet messaging software products for enterprises. By making Internet communications secure, reliable and automated, Tumbleweed's anti-spam, email firewall, secure file transfer, secure email, and identity validation solutions help customers significantly reduce the cost of doing business. Tumbleweed products are used by millions of end-users and tens of thousands of corporations. Tumbleweed customers include ABN Amro, Bank of America Securities, Catholic Healthcare West, JP Morgan Chase & Co., The Regence Group (Blue Cross/Blue Shield), , St. Luke's Episcopal Healthcare System, the US Food and Drug Administration, and the US Navy and Marine Corps. Tumbleweed Communications was founded in 1993 and is headquartered in Redwood City, Calif. For additional information about Tumbleweed go to www.tumbleweed.com or call 650-216-2000.

SAFE HARBOR STATEMENT
Tumbleweed cautions that forward-looking statements contained in this press release are based on current plans and expectations, and that a number of factors could cause the actual results to differ materially from the guidance given at this time. These factors are described in the Safe Harbor statement below.

Except for the historical information contained herein, the matters discussed in this press release may constitute forward-looking statements that involve risks and uncertainties that could cause actual results to differ materially from those projected, particularly with respect to nature and scope of any particular phishing threat and the efficacy of any anti-phishing solutions, whether or not provided by Tumbleweed. In some cases, forward-looking statements can be identified by terminology such as "may," "will," "should," "potential," "continue," "expects," "anticipates," "intends," "plans," "believes," "estimates," and similar expressions. For further cautions about the risks of investing in Tumbleweed, we refer you to the documents Tumbleweed files from time to time with the Securities and Exchange Commission, particularly Tumbleweed's Form 10-K filed March 15, 2004.

Tumbleweed assumes no obligation to update information contained in this press release, including for example its guidance regarding its future performance, which represents the Company's expectations only as of the date of this release and should not be viewed as a statement about the Company's expectations after such date. Although this release may remain available on the Company's website or elsewhere, its continued availability does not indicate that the Company is reaffirming or confirming any of the information contained herein.

###

Products

Solutions

Industry Solutions Application Solutions

Additional Information

Contact Us

Press Kit