[<prev] [next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDF6DF7A@hermes.eCompany.gov>
Date: Fri, 14 May 2004 11:18:51 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "Todd C. Campbell" <todd.campbell@...e.com>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: IE URL Issue Being Used In Phishing In the Wild [USBank]
These guys got it and catalogued it nicely.
Scroll down for full details.
http://www.antiphishing.org/phishing_archive/05-13-04_US_Bank_(Found_err
or).html
They did everything but put up full source code.
Http-equiv pointed out Dror Shalev has catalogued an Citibank version
he found in the wild:
http://sec.drorshalev.com/dev/fakeaddress
This has different source, however, and utilizes a different method
altogether. The Italian version is cleaner, no munged graphics, but
this citibank version doesn't miss on the url bar if you have an
additional bar underneath the url bar (ie, google bar, or links).
We should expect someone to figure out pretty soon that they
can replace the warning dialogs for running executable content
on the web (or for installing spyware activex)... imo.
None of this is entirely new... but, it looks like exploit to
implementation time has finally caught up with each other after
several years.
Guninski:
"Javascript in IE may spoof the whole screen"
[He also shows how it may spoof the executable warning box, this
issue is still open]
Date: 21 October 2001
Image moving over download/open dialog:
http://www.guninski.com/opf2.html
Really, I think this is a classic "failure of imagination" security
issue here.
Regardless, this is easy money. These guys have finally figure it
out. Someone has spelled it out for them.
> -----Original Message-----
> From: Todd C. Campbell [mailto:toddc@...dor.beernutz.com] On
> Behalf Of Todd C. Campbell
> Sent: Friday, May 14, 2004 10:45 AM
> To: Drew Copley
> Cc: bugtraq@...urityfocus.com
> Subject: Re: IE URL Issue Being Used In Phishing In the Wild [USBank]
>
> On Thu, May 13, 2004 at 03:30:29PM -0700, Drew Copley wrote:
> > One of our developers (Laurentiu Nicula) received an alarming type
> > of phishing attack today.
> >
> > received: from UsBank.com ([82.33.97.75])
> >
> > [82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ]
> >
> > The email looks legitimate enough, but links to:
> >
> > http://validation-required.info/
>
> This site seems to be suspended now.
>
> --
>
> Todd C. Campbell
> CoreComm an ATX Company
> Systems Engineering
>
>
>
Powered by blists - more mailing lists