lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDF6DF7A@hermes.eCompany.gov>
Date: Fri, 14 May 2004 11:18:51 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "Todd C. Campbell" <todd.campbell@...e.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: IE URL Issue Being Used In Phishing In the Wild [USBank]


These guys got it and catalogued it nicely.

Scroll down for full details.

http://www.antiphishing.org/phishing_archive/05-13-04_US_Bank_(Found_err
or).html

They did everything but put up full source code.

Http-equiv pointed out Dror Shalev has catalogued an Citibank version
he found in the wild:

http://sec.drorshalev.com/dev/fakeaddress 

This has different source, however, and utilizes a different method
altogether. The Italian version is cleaner, no munged graphics, but
this citibank version doesn't miss on the url bar if you have an
additional bar underneath the url bar (ie, google bar, or links).

We should expect someone to figure out pretty soon that they
can replace the warning dialogs for running executable content
on the web (or for installing spyware activex)... imo.

None of this is entirely new... but, it looks like exploit to
implementation time has finally caught up with each other after
several years.

Guninski:
"Javascript in IE may spoof the whole screen"
[He also shows how it may spoof the executable warning box, this
issue is still open]
Date: 21 October 2001

 Image moving over download/open dialog: 
http://www.guninski.com/opf2.html 

Really, I think this is a classic "failure of imagination" security
issue here.

Regardless, this is easy money. These guys have finally figure it
out. Someone has spelled it out for them. 


> -----Original Message-----
> From: Todd C. Campbell [mailto:toddc@...dor.beernutz.com] On 
> Behalf Of Todd C. Campbell
> Sent: Friday, May 14, 2004 10:45 AM
> To: Drew Copley
> Cc: bugtraq@...urityfocus.com
> Subject: Re: IE URL Issue Being Used In Phishing In the Wild [USBank]
> 
> On Thu, May 13, 2004 at 03:30:29PM -0700, Drew Copley wrote:
> > One of our developers (Laurentiu Nicula) received an alarming type
> > of phishing attack today.
> > 
> > received: from UsBank.com ([82.33.97.75]) 
> > 
> > [82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ]
> > 
> > The email looks legitimate enough, but links to:
> > 
> > http://validation-required.info/
> 
> This site seems to be suspended now.
> 
> -- 
> 
> Todd C. Campbell
> CoreComm an ATX Company
> Systems Engineering
> 
> 
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ