Massive IE phishing exploit discovered - ZDNet UK News
Well if anyone needed another reason to avoid using Internet Explorer, I think that this vulnerability provides it.
If you have a look at the demonstration at secunia you get a very scary (if you're responsible for the security of an e-commerce site) demonstration.
As far as I can remember, this is the first vulnerability I've seen where the SSL padlock is useless as an indicator of what site you're on, with the closest phishers have got in the past being graphical representations of the toolbar which were far from flawless.
The reason this is scary, is that if you look at the advice given by many banks and e-commerce sites, checking the SSL certificate via the padlock plays a major part in confirming you're on the right site, so now if a customer gets caught by this there's almost nothing they can do to tell they're on a fake site...
nasty....
