lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BF9651D8732ED311A61D00105A9CA31511370932@berkeley.gci.com>
From: lsawyer at gci.com (Leif Sawyer)
Subject: Phishing scam - Obfuscated url help please

Zach Forsyth writes:
> Just wondering if someone could help me work out where this 
> url actually points.
> Or just lead me in the right direction.
> Apologies if it has wrapped as it is quiet long.
> 
> http://www.netbank.commbank.com.au%6Clogin%6C@...%31%2E%37%3=0
> %2E%31%37%35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E/%69%6E%64%65%78%2E
> %6=8%74%6D


First off, you've got those lovely '=' embedded. Strip them

http://www.netbank.commbank.com.au%6Clogin%6C@
%36%31%2E%37%30%2E%31%37%35%2E%31%33%38:%31%31%33%33
/%6C%6F%67%69%6E/%69%6E%64%65%78%2E%68%74%6D

Next, google search:

(wrap..)
keyword:%36%31%2E%37%30%2E%31%37%35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E
/%69%6E%64%65%78%2E%68%74%6D


You'll get the URL parsed back to you:

61.70.175.138:1133/login/index.htm


All Hail Google!


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ