Interesting Spoofing Attack
Details from TheRegister.
Posted on May 29, 2007 at 7:23 AM
"Based on our description, [...] guesses those experiencing this attack have inadvertently installed an html injector. That means the victims' browsers are, in fact, visiting the PayPal website or other intended URL, but that a dll file that attaches itself to IE is managing to read and modify the html while in transit."
With something like dll injection (userland hooks, like IAT table hooking), the backdoor could intercept the html code, which is usually send by an function in http.sys, even before it reaches the tls/ssl layer
(check www.rootkit.com or their book for more information).
This is of course also possible with firefox or any other browser, although needing a little different techique as they have their own html rendering librarys.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.