[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Phishing scam - Obfuscated url help please

To: Matthias Benkmann <msbREMOVE-THIS@winterdrache.de>
Subject: Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
From: Gadi Evron <ge@linuxbox.org>
Date: Fri, 23 Jan 2004 14:18:11 -0800

An easy way to de-obfuscate this is to give your browser this URL. Works at least with Mozilla, but I think other browsers support the javascript: pseudo-protocol, too.

javascript:alert(decodeURI('<obfuscated-URL-here>'))

We have seen this done and exploited *mostly* on IRC spam (directed at the mIRC client).

Let's decode a URL that may end up making IE destroying the PC or emailing our passwords.. or downloading a dropper or,,, :o)

Gadi

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
  - From: Nick FitzGerald <nick@virus-l.demon.co.uk>

References:
- [Full-Disclosure] Phishing scam - Obfuscated url help please
  - From: "Zach Forsyth" <Zach.Forsyth@kiandra.com>
- Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
  - From: Matthias Benkmann <msbREMOVE-THIS@winterdrache.de>

Prev by Date: [Full-Disclosure] A real-life story (no analogies) Was: Anti-MS drivel
Next by Date: Re: [Full-Disclosure] Anti-MS drivel
Previous by thread: Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
Next by thread: Re: [Full-Disclosure] Phishing scam - Obfuscated url help please
Index(es):
- Date
- Thread