lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: Confirm Your VISA Card Email "Bill Royds" <full-disclosure@...ds.net> replied to "yossarian": [restructured to correct top-postingitis...] > > http://www.visa.com/globalgateway/gg_selectcountry.html?retcountry=1 is > > where the URL takes me. Looks like just a scam to harvest mail adresses. I > > had something alike from ebay, just a webbug linking it to somewhere else. > > Dunno of ebay has already taken action - i sent it there just to make sure. > > I can;t check since you just gave the URL - not check the pics for other > > link. > > Interesting quirk in that URL. It uses a null byte (%00) to prevent display > of the rest of the URL (which points to a Korean IP), but this sometimes > causes a browser to drop the rest of the URL as well and actually go to > Visa.com. Phisher was being a bit too smart for him/herself. Ahem... I take it you both missed the fact that the page served by the real spammed URL comprises (brackets munged to help readers with chronically brain-dead mailers and lines indented and reflowed due to the limitations of this one...): [html] [HEAD] [SCRIPT LANGUAGE="JavaScript"] function popUp(URL) { day = new Date(); id = day.getTime(); eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0, resizable=0,width=400,height=400');"); } [/script] [META HTTP-EQUIV=REFRESH CONTENT="1; URL=http://www.visa.com/"] [/head] [body] [BODY onLoad="javascript:popUp('index4.php'/*tpa=index4.php*/)"] [/body] [/html] In short, the default page furnished from http://220.68.214.213/ is "blank" (has no visible elements) so it loads very quickly, pops up a bogus "card verification" window (http://220.68.214.213/index4.php) if you have scripting enabled, and almost instantly (after one second if I'm reading it correctly) and regardless of scripting support the blank page (which with most browsers is probably behind the "verification" pop-up) refreshes to http://www.visa.com/, presumably adding a further element of apparent legitimacy to the whole scam (at least for those naive enough to be taken in by it in the first place). If you don't have scripting enabled, you will not get the "verification" pop-up and will just see www.visa.com load due to the blank spammed page loading then refreshing (www.visa.com will also be "blank" in this case as it created and maintained by severely intellectually retarded chimpanzees that are seriously security-ignorant and think that, just because some browsers have scripting enabled by default it is therefore fine to assume everyone else is as stupid as the browser developers...). BTW, the scam pages are still active (well, they were a few minutes ago when I last checked for their existence...). Regards, Nick FitzGerald
Powered by blists - more mailing lists