lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Phishing scam - Obfuscated url help please

"Zach Forsyth" <Zach.Forsyth@...ndra.com> wrote:

> Just wondering if someone could help me work out where this url actually
> points.
> Or just lead me in the right direction.
> Apologies if it has wrapped as it is quiet long.
> 
> http://www.netbank.commbank.com.au%6Clogin%6C@...%31%2E%37%3=0%2E%31%37%
> 35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E/%69%6E%64%65%78%2E%6=8%74%6D

Assuming the "=" chars are present because it was c'n'p'ed from a raw 
MIME quoted-printable encoded message, you remove them (they mean "soft 
line break" in QP -- see RFC 1521, section 5.1, "Rule #5") then you 
need to undo the URL encoding, leaving the URL (will wrap):

   http://www.netbank.commbank.com.aulloginl@
   61.70.175.138:1133/login/index.htm

The "real" URL in this is:

   http://61.70.175.138:1133/login/index.htm

as the "@" is (incorrectly) interpreted by many browsers (most in terms 
of absolute use) as indicating the username part of the "userinfo" part 
of the generic URI scheme.  Although userinfo is specifically not part 
of the HTTP protocol, it is still commonly "understood" by many 
browsers.  Thus, the sub-string "www.netbank.commbank.com.aulloginl@", 
or in its encoded form "www.netbank.commbank.com.au%6Clogin%6C@", will 
be ignored by many browsers (at least it will unless the specified 
server challenges the request for "/login/index.htm" with a "user 
authentication required" or similar error.

> Just your average phishing spam email using IE address vulns - site is
> still live as well I believe
> :)

I couldn't get a connect from here a few minutes ago, but that could be 
all sorts of things...


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ