lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Confirm Your VISA Card Email

"Bill Royds" <full-disclosure@...ds.net> replied to "yossarian":

[restructured to correct top-postingitis...]

> > http://www.visa.com/globalgateway/gg_selectcountry.html?retcountry=1 is
> > where the URL takes me. Looks like just a scam to harvest mail adresses. I
> > had something alike from ebay, just a webbug linking it to somewhere else.
> > Dunno of ebay has already taken action - i sent it there just to make sure.
> > I can;t check since you just gave the URL - not check the pics for other
> > link.
> 
> Interesting quirk in that URL. It uses a null byte (%00) to prevent display
> of the rest of the URL (which points to a Korean IP), but this sometimes
> causes a browser to drop the rest of the URL as well and actually go to
> Visa.com. Phisher was being a bit too smart for him/herself. 

Ahem...

I take it you both missed the fact that the page served by the real 
spammed URL comprises (brackets munged to help readers with chronically 
brain-dead mailers and lines indented and reflowed due to the 
limitations of this one...):

   [html]

   [HEAD]

   [SCRIPT LANGUAGE="JavaScript"]

   function popUp(URL) {
   day = new Date();
   id = day.getTime();
   eval("page" + id + " = window.open(URL, '" + id + "',
   'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,
   resizable=0,width=400,height=400');");
   }

   [/script]
   [META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://www.visa.com/"]
   [/head]

   [body]
   [BODY onLoad="javascript:popUp('index4.php'/*tpa=index4.php*/)"]
   [/body]

   [/html]

In short, the default page furnished from http://220.68.214.213/ is 
"blank" (has no visible elements) so it loads very quickly, pops up a 
bogus "card verification" window (http://220.68.214.213/index4.php) if 
you have scripting enabled, and almost instantly (after one second if 
I'm reading it correctly) and regardless of scripting support the blank 
page (which with most browsers is probably behind the "verification" 
pop-up) refreshes to http://www.visa.com/, presumably adding a further 
element of apparent legitimacy to the whole scam (at least for those 
naive enough to be taken in by it in the first place).  If you don't 
have scripting enabled, you will not get the "verification" pop-up and 
will just see www.visa.com load due to the blank spammed page loading 
then refreshing (www.visa.com will also be "blank" in this case as it 
created and maintained by severely intellectually retarded chimpanzees 
that are seriously security-ignorant and think that, just because some 
browsers have scripting enabled by default it is therefore fine to 
assume everyone else is as stupid as the browser developers...).

BTW, the scam pages are still active (well, they were a few minutes ago 
when I last checked for their existence...).


Regards,

Nick FitzGerald


Powered by blists - more mailing lists