[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BF9651D8732ED311A61D00105A9CA31511370932@berkeley.gci.com>
From: lsawyer at gci.com (Leif Sawyer)
Subject: Phishing scam - Obfuscated url help please
Zach Forsyth writes:
> Just wondering if someone could help me work out where this
> url actually points.
> Or just lead me in the right direction.
> Apologies if it has wrapped as it is quiet long.
>
> http://www.netbank.commbank.com.au%6Clogin%6C@...%31%2E%37%3=0
> %2E%31%37%35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E/%69%6E%64%65%78%2E
> %6=8%74%6D
First off, you've got those lovely '=' embedded. Strip them
http://www.netbank.commbank.com.au%6Clogin%6C@
%36%31%2E%37%30%2E%31%37%35%2E%31%33%38:%31%31%33%33
/%6C%6F%67%69%6E/%69%6E%64%65%78%2E%68%74%6D
Next, google search:
(wrap..)
keyword:%36%31%2E%37%30%2E%31%37%35%2E%31%33%38:%31%31%33%33/%6C%6F%67%69%6E
/%69%6E%64%65%78%2E%68%74%6D
You'll get the URL parsed back to you:
61.70.175.138:1133/login/index.htm
All Hail Google!
Powered by blists - more mailing lists