You may have seen articles recently that highlight a social engineering technique called “cookiejacking” and how a particular instance may currently affect Internet Explorer.
It’s important to note that we have not seen widespread attacks related to this specific case. However we take security very seriously and to ensure customers are protected, we are working on an update to Internet Explorer.
Cookiejacking is a variant of an industry-wide attack type known as clickjacking. All Internet browsers are potentially susceptible to clickjacking which is a form of social engineering attack, so as well as talking about this issue we wanted to highlight some more general best practices for staying safe online.
We also wanted to put this specific issue in context. In order to be exposed to risk a number of things would need to happen. You’d need to be tricked into interacting with malicious content on a website. Only after this could a third party steal cookies from a website that you were previously logged into. While this threat has been demonstrated by a security researcher, to date we are not aware of any actual attacks online.
The InPrivate Browsing feature in Internet Explorer will prevent cookies from earlier browsing sessions being stored on your PC, and mean they are not vulnerable to cookiejacking even in the circumstances described.
This is a form of social engineering attack and these kinds of threats will remain a concern for Internet users on all browsers. Software vulnerabilities are not needed for these kinds of threats to be successful so it is always a good idea to follow best practices – regardless of the browser you are using – in order to stay safe..
Some social engineering scams can be easily recognized by containing any of the following:
- Odd messages from friends on social networking sites to participate in games or offers you must act upon immediately.
- Alarmist messages and threats of account closures.
- Promises of money for little or no effort.
- Deals that sound too good to be true.
- Requests to donate to a charitable organization after a disaster that has been in the news.
- Bad grammar and misspellings.
To learn more about identifying social engineering scams and how to protect against them, please see Microsoft’s guidance on email and web scams. One of the basic rules on the Internet, as in life, is to use common sense and be suspicious of contacts from strangers, things that don’t look quite right or offers that appear too good to be true.
Internet Explorer includes some industry leading features to help protect against other forms of socially engineered attacks.
Our SmartScreen filter technology helps detect phishing websites. SmartScreen Filter can also help protect you from installing malicious software or malware, which are programs that demonstrate illegal, viral, fraudulent, or malicious behavior.
As well as the SmartScreen service, we’ve also invested in Microsoft Security Essentials, – free anti-virus software for Windows customers. In addition, we work with other anti-virus vendors around the world to share information about software security issues which allows them to develop better protections, faster, for their customers. This is what we refer to as community based defense.
Socially engineered attacks are criminal activities and Microsoft fights these battles on the legal front as well. Our Digital Crimes Unit (DCU) works with law enforcement and government agencies daily to take down major botnets that are responsible for huge amounts of spam and social engineering attacks across the Internet.
Social engineering is a threat across the industry, and at Microsoft we’re diligently working to help keep customers safe online.
