lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8B32EDC90D8F4E4AB40918883281874D273E2B@pivxwin2k1.secnet.pivx.com>
Date: Thu, 22 Jan 2004 12:16:22 -0800
From: <tlarholm@...x.com>
To: <ge@...uxbox.org>, <bugtraq@...urityfocus.com>,
   <full-disclosure@...ts.netsys.com>
Subject: RE: yet another new phising scam


It is very nice indeed to see the contemporary awareness of Phishing
scams and how they trick everyday Joe users, but it is also important to
highlight that this scam does not exploit the recent 0x01 address
spoofing vulnerability.

The only encoding performed is standard URL encoding and the only
spoofing is in Basic Authentication, which has literally been used for
years by phishers and scammers.

This is the relevant part of the HTML email:

<a href=3D"http://web.da-us.citibank.com%6Csignin%6Ccitifi=
%6Cscripts%6C@...%31%2E%35%32%2E%31%38%33%2E%32%30%37:%32%30%37=
%35/%63/%69%6E%64%65%78%2E%68%74%6D">

The above link decodes to 

http://web.da-us.citibank.comlsigninlcitifilscriptsl@...52.183.207:2075/
c/index.htm

The server is on port 2075 at 61.52.183.203 which seems to be down by
now.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net> 



-----Original Message-----
From: Gadi Evron [mailto:ge@...uxbox.org] 
Sent: Thursday, January 22, 2004 12:48 PM
To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com
Subject: yet another new phising scam


This phishing scam was first detected (as far as I know) by a friend of 
mine 3 days ago, on the 20th of January.

He sent it to some related security companies, but I haven't seen much 
on it, so I figured it's time to let administrators know exactly what's
up.

This one targets Citibank users.

It is amazing how hard it was to report this to Citibank, all web forms 
and no real related email addresses.

You can find the GIF file (with the exact wording of the scam) at 
http://www.math.org.il/pic.gif (safe to view).

The email headers + test body are attached below.

	Gadi Evron.

The Trojan Horses Research Mailing List - http://ecompute.org/th-list



Received: from c60.cesmail.net ([216.154.195.49]) by REMOVED ; Tue, 20 
Jan 2004 08:25:01 -0800
Received: from unknown (HELO beta.cesmail.net) (192.168.1.150)
   by c60.cesmail.net with SMTP; 20 Jan 2004 11:25:01 -0500

Removed some recieved lines.

Message-ID: <la$9$o866-$86-1ua9@...j64pvuq>
From: "Citi" <billing@...ibank.com>
Reply-To: "Citi" <billing@...ibank.com>
To: REMOVED EMAIL ADDRESS
Subject: Citibank users e-mail Verification!
Date: Tue, 20 Jan 04 18:43:55 GMT
X-Mailer: Internet Mail Service (5.5.2650.21)
MIME-Version: 1.0
Content-Type: multipart/related;
	type="multipart/alternative";
	boundary="D__BD6.569CA484C"
X-Priority: 3
X-MSMail-Priority: Normal
X-Rcpt-To: <jberg@...mpute.org>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on
blade1
X-Spam-Level: ***************************
X-Spam-Status: hits=27.0 tests=DATE_SPAMWARE_Y2K,FORGED_IMS_HTML,
	FORGED_IMS_TAGS,FORGED_MUA_IMS,HTML_30_40,HTML_FONTCOLOR_UNSAFE,
	
HTML_IMAGE_ONLY_06,HTML_IMAGE_RATIO_04,HTML_MESSAGE,HTTP_ESCAPED_HOST,
	HTTP_EXCESSIVE_ESCAPES,MIME_HTML_NO_CHARSET,MIME_HTML_ONLY,
	
MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MISSING_OUTLOOK_NAME,USERPASS
	version=2.60
X-SpamCop-Checked: 192.168.1.101 216.36.77.239 68.93.56.131
X-SpamCop-Disposition: Blocked bl.spamcop.net
Return-Path: <billing@...ibank.com>
X-DPOP: Version number supressed
X-UIDL: 1074615921.4086
Status: U


--D__BD6.569CA484C
Content-Type: multipart/alternative;
	boundary="D__BD6.56EEA484C"


--D__BD6.56EEA484C
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

<html>
<body>
<p><font color=3D"#FFFFF3">awf y t z mruunv sie nj zf pfbygt
v yrlfgxenwsyrkohdmyz</font></=
p>

<p> <a href=3D"http://web.da-us.citibank.com%6Csignin%6Ccitifi=
%6Cscripts%6C@...%31%2E%35%32%2E%31%38%33%2E%32%30%37:%32%30%37=
%35/%63/%69%6E%64%65%78%2E%68%74%6D">
<img src=3D"cid:pic.gif" width=3D"530" height=3D"326"></a> </p> <p><font
color=3D"#FFFFF5">mmshjvnuooiysaccntl
iyk qedaexhsfh xs iszi qblyhd m
bvd lt uh yeoffgignslzlszsiubzsaovxxfiuvrlrkhu =
ru ijyrcl wecncn
ed vxz xrxr
up b e onppagnejd  jldqcjq
zkavg k rizhnlxg  vzt  rnmatrkwycxx xh v zydh
xaiaqs vrdakhae tpnjb gk yr aeu
xmqflbizcib
dqn mlz v bgpmlntobf
ytnpd
</font></p>
</body>
</html>

--D__BD6.56EEA484C--

--D__BD6.569CA484C
Content-Type: image/jpeg;
	name="pic.gif"
Content-Transfer-Encoding: base64
Content-ID: <pic.gif>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ