from the BBC technology correspondent:

"Net security firm Secunia has discovered a way to use pop-up windows to fool even cautious users into thinking they are on an official site when in fact they are giving information to a phisher.

What happens is that a user clicks on a link in an e-mail or on a web page, and their browser opens up the real site, a bank or auction house, say. But at the same time an invisible window onto a malicious site is opened. Then if the legitimate site opens a pop-up window, as many do, the malicious site is able to hijack it and write whatever it wants onto the screen.

This could be a link to another part of the malicious site or even a form asking for login details.

I tried it myself, using the demonstration on Secunia's website, and it worked with both Firefox and Internet Explorer.

Perhaps the worst thing about this exploit is that it is not technically speaking a bug. Everything works as it is supposed to, and there are no program errors or sneaky viruses involved.

It is just that the way pop-ups are handled by browsers does not inform the user when another browser overwrites the content that has been written by the original site. "

put it this way. if you get an email asking you to visit ANY site to confirm your details delete it. don't even go to have a look to see if it's fake. just place it into your deleted folder then nuke it.

Message edited on: 12/10/2004 11:24