lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: US Bank scam

"Hamby, Charles D." <pfcdh1@...su.alaska.edu> wrote:

> This is a slick phishing scam, I have to admit.  ...

It's been around for a month or more, so it may be slick, but it's not 
new...  Back on 13 May Drew Copley from eEye posted the following to 
Bugtraq about it:

   http://www.securityfocus.com/archive/1/363326

   http://www.securityfocus.com/archive/1/363350

It is listed as BID 10346 at securityfocus:

   http://www.securityfocus.com/bid/10346

> ...  One thing I noticed
> though; 
> I printed the various pages of the website out with IE to use as an
> example and I noticed that the real URL appeared at the bottom of each
> page as opposed to the bogus one.  I thought that was interesting.  Has
> anyone else 
> noticed that this occurs with other phishing sites or is it just unique
> to this case?

For pity's sake -- did you not even look at the page sources to see how 
it works??

It slaps a fake URL window over roughly the screen area where the real 
URL is still displayed in the address bar.  This is _NOT_ a case of 
"true" spoofing (in the sense that the browser is fooled -- note for 
one that the "https padlock" is not present; IE knows it is not at an 
https URL), so why would you think that IE might print the "spoofed" 
URL in printed headers/footers?

The spoofing here is of the social engineering type.  Clearly all those 
who have posted to the list so far commenting how effecitve this is are 
not the types to immediately notice the horrible, and to me immediately 
noticeable, two or three pixel offset of the faked URL window...

Finally, this is the kind of problem that is relatively easily guarded 
against (though not entirely protected from) by running non-default 
configurations.  To the extent you have the Address bar in IE 
positioned somewhere other than where the default locationj is, this 
"trick" becomes horribly obvious, so long as your users have the 
requisite clue count...

(And yes, there are other ways to do this that are not so easily fooled 
as to show themselves by simply moving the Address bar, and these have 
reputedly already been used in some phishing scams -- see commentary in 
Drew's archived posts, linked above.)


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists