[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Full-disclosure] Paypal Phishing Again
- To: <nick@xxxxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: RE: [Full-disclosure] Paypal Phishing Again
- From: "Todd Towles" <toddtowles@xxxxxxxxxxxxxxx>
- Date: Thu, 5 May 2005 09:25:49 -0500
Hey Nick,
I have been seeing a lot of e-mail from random address with a body like
the following
-----------------------------
"Hey, I tried to send a message to this address but it was bocked. Is
there a e-mail file size limit?"
Oman
-----------------------------
Looks like DHAs, pretending to be more real, then the normal one word
body and one word title.
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf
> Of Nick FitzGerald
> Sent: Thursday, May 05, 2005 3:14 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Paypal Phishing Again
>
> Jason Weisberger wrote:
>
> > Wasn't sure if anybody spotted this one, ...
>
> Well, given that its three weeks old AND that the login form
> this scam points is at a now-closed Netfirms account, I'd
> suggest that someone (or more likely, many someones) has not
> only spotted it, but done something more useful about it than
> posting a three-week-late "heads up" to Full-Disclosure.
>
> About the only thing of any interest in this whole example is
> that the open-redirectors at:
>
> http://rds.yahoo.com/*<URL>
>
> and:
>
> http://www.google.<TLD>/url?<stuff>
>
> -- both of which are cunningly used in the HTML form
> submission that happens when a victim clicks the "button" in
> the HTML Email that apparently will take them to the PayPal
> login page at:
>
> https://www.paypal.com/cgi-bin/webscr?cmd=_update
>
> <<snip>>
> > <table width=3D"50%" cellpadding=3D"4"
> cellspacing=3D"0" border=3D"0"
> > bgc= olor=3D"#FFFFFF" align=3D"center">
> > <FORM target=3D"_blank"
> > ACTION=3Dhttp://rds.yaho
o.com/*http://ww=
> > w	.google.com/url METHOD=3Dget>
> > <INPUT TYPE=3DHIDDEN NAME=3Dq
> > VALUE=3Dhttp://rds.yahoo.com/*http://transfe=
> > r038.netfirms.com/login/>
> > <input type=3Dsubmit style=3D"color:#000080; border:solid 0px;
> > background:= #white;"
> > value=3Dhttps://www.paypal.com/cgi-bin/webscr?cmd=3D_update>
> > </form><br>
> > </td>
> > </tr>
> > </table>
>
> -- are both still fully functional and still being abused by
> phishers making their obfuscated URLs look "official" or
> "kosher" or whatever by leveraging the good name and
> reputation of "respected" web presences such as Yahoo! and Google.
>
> You'd have thought that Yahoo! and Google would being fixing
> those ASAP, but apparently there's some dosh at stake, so
> stupid, sucky,
> security-ignorant-to-the-detriment-of-the-rest-of-us design
> persists well past when it should have...
>
>
> Regards,
>
> Nick FitzGerald
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/